LNCS  6258 


Igor  Kotenko 
Victor  Skormin  (Eds.) 


Computer 
Network  Security 


5th  International  Conference  on  Mathematical 
Methods,  Models  and  Architectures  for 
Computer  Network  Security,  MMM-ACNS  2010 
St.  Petersburg,  Russia,  September  2010,  Proceedings 


^  Springer 


REPORT  DOCUMENTATION  PAGE 

Form  Aoproved  0MB  No.  0704-0188 

Public  reportirig  burden  for  this  collection  of  information  is  estimated  to  average  1  hour  per  response,  including  the  time  for  reviewing  instructions,  searching  existing  data  sources,  gathenng  end 

maintaining  the  data  needed,  and  completing  and  reviewing  the  collection  of  information.  Send  comments  regarding  this  burden  estimate  or  any  other  aspect  of  this  collection  of  infoimetion. 
including  suggestions  for  reducing  the  burden,  to  Department  of  Defense.  Washington  Headquarters  Services.  Directorate  focinformation  Op*.-rations  end  Reports  (0704-0188).  1215  Jefferson 
Davis  Highway.  Suite  1204,  Arlington,  VA  22202-4302.  Respondents  should  be  aware  that  notwithstanding  any  other  provfsnSrTof  law,  no  persori  f.'^ail  be  subject  to  any  penalty  for  failing  to  comply 
with  a  collection  of  information  if  it  does  not  display  a  currently  valid  OM8  control  number. 

PLEASE  DO  NOT  RETURN  YOUR  FORM  TO  THE  ABOVE  ADDRESS. 

1.  REPORT  DATE  fDD-AfM-yyVY)  2.  REPORT  TYPE 

15-07-2010  Final  Report 

3.  dates  covered  (From  -  To) 

2/ January  2009  -  27-Feb- 10 

4.  TITLE  AND  SUBTITLE 

Workshop  on  Scientific  Analysis  and  Policy  in  Network  Security 

5a.  CONTRACT  NUMBER 

FA8655-09-M-4004 

5b.  GRANT  NUMBER  > 

5c.  PROGRAM  ELEMENT  NUMBER 

6.  AUTHOR(S) 

Dr  Igor  Kotenko 

5d.  PROJECT  NUMBER 

5d.  TASK  NUMBER 

5e.  WORK  UNIT  NUMBER 

7.  PERFORMING  ORGANIZATION  NAME(S)  AND  ADDRESS(ES) 

St.  Petersburg  Institute  For  Informatics  &  Automation  of  the  Russian  Academy  of 

Sciences 

39  14th  Liniya 

St  Petersburg  199178 

Russia 

8.  PERFORMING  ORGANIZATION 

REPORT  NUMBER 

N/A 

9.  SPONSORING/MONITORING  AGENCY  NAME(S)  AND  ADDRESS(ES) 

EOARD 

Unit  451 5  BOX  14 

APO  AE  09421 

10.  SPONSOR/MONITOR’S  ACRONYM(S) 

11.  SPONSOR/MONITOR'S  REPORT  NUMBER(S) 
SPC  09-4004 

12.  DISTRIBUTION/AVAILABILITY  STATEMENT 

Approved  for  public  release;  distribution  Is  unlimited 

Copyrighted  materials:  Copyright  Springer-Verlag  Berlin  Heidelberg  2010 

13.  SUPPLEMENTARY  NOTES 

14.  ABSTRACT 


This  report  entails  the  Proceedings  of  the  Fifth  International  Conference  Mathematical  Methods.  Models,  and  Architectures  for  Computer  Networks 
Security  (MMM-ACNS-2010),  and  includes  the  First  International  Workshop  Scientific  Analysis  and  Policy  Support  for  Cyber  Security  (SA&PS4CS- 
2010).  The  main  objectives  of  the  MMM-ACNS*2010  Conference  are  to  discuss  state-of-the-art  in  mathematical  methods  and  models  for  computer 
networks  and  information  security  to  promote  a  better  understanding  of  recent  achievements  and  trends  in  the  computer  network  security,  as  well  as 
making  use  of  recent  achievements  in  the  area  of  advanced  information  technologies  for  computer  network  and  information  assurance  Security 
assurance  of  resident  Information  and  computer  networks'  softv/are  is  one  of  the  important  problems  of  the  modern  computer  science  and  information 
technology.  The  problem  importance  is  confirmed  by  ever  increasing  multiplicity  and  diversity  of  threads  and  vulnerabilities  of  computer  networks, 
permanently  increasing  significance  and  value  of  information  itself,  and  by  potentially  devastating  consequences  of  successful  attacks  on  integrity, 
resource  availability  and  information  confidentiality.  Unauthorized  access  to  computer  network  facilities  and  network  resources,  especially  in  global 
networks  participating  in  real-time  control  operations,  may  be  truly  disastrous 


15.  SUBJECT  TERMS 

EOARD.  Network  Security.  Cyber  Operations 


r- 

"I 


16.  SECURITY  CLASSIFICATION  OF: 

a.  REPORT  b.  ABSTRACT  c. 
UNCLAS  UNCLAS 


THIS  PAGE 
UNCLAS 


17.  LIMITATION  OF 

ABSTRACT 

UL 


18,  NUMBER  19a.  NAME  OF  RESPONSIBLE  PERSON 

OF  PAGES  JAMES  LAWTON  Ph  D. 


145 


19b.  TELEPHONE  NUMBER  ^//)c/ucte  area  code; 


+44  (0)1895  616187 


Standard  Form  298  (Rev.  8/98) 

Prescribed  by  ANSI  Std  Z39-18 


6258 


Lecture  Notes  in  Computer  Science 

Coitimeticed  Public  ation  in  1973 
Founding  and  Former  Series  Editors: 

Gerhard  Goos,  Juris  Harlmanis,  and  Jan  van  Leeuwen 

Editorial  Board 

David  Hutchison 

iMiicastcr  University,  UK 
I'akeo  Kanade 

Carnegie  Mellon  University,  Pittsburgh,  PA,  USA 
Josef  Kittler 

University'  of  Surrey,  Guild  ford,  UK 
Jon  M.  Klcinbcrg 

Cornell  University,  Ithaca,  NY,  USA 
Alfred  Kobsa 

University  of  California,  lirine,  CA,  USA 
Friedemann  Mattern 

ETH  Zurich,  Switzerland 
John  C.  Mitchell 

Stanford  University,  CA,  USA 
Moni  Naor 

Weizniaun  Institute  of  Science,  Rehovot,  Israel 
Oscar  Nierstrasz 

University  of  Bern,  Switzerland 
C.  Pandu  Rangan 

Indian  Institute  of  Technology,  Madras,  India 
Bernhard  Steffen 

TU  Dortnnnid  University,  Gennany 
Madhu  Sudan 

Microsoft  Research,  Cand)ridge,  MA,  USA 
Demetri  Terzopoulos 

University  of  California,  Los  Angeles,  CA,  USA 
Doug  Tygar 

University  of  California,  Berkeley,  CA,  USA 
Gerhard  Weikum 

Max-Phinck  Institute  of  Computer  Scienc  e,  Sacirbruecken,  Gennany 


Igor  Kotenko  Victor  Skormin  (Eds.) 


Computer 
Network  Security 


5th  International  Conference  on  Mathematical 
Methods,  Models  and  Architectures  for 
Computer  Network  Security,  MMM-ACNS  20 1 0 
St.  Petersburg,  Russia,  September  8-10,  2010 
Proceedings 


20110211289 


•0  Springer 


744'  Fii-oi-o^SY 


Volume  Editors 


Igor  Kotenko 

Institution  of  the  Russian  Academy  of  Sciences 
St.  Petersburg  Institute  for  Informatics  and  Automation  of  RAS 
39,  14-th  Liniya,  St.  Petersburg,  199178,  Russia 
E-mail:  ivkote@comsee.spb.ru 

Victor  Skormin 

Binghamton  University  (SUNYI) 

Binghamton,  NY  13902,  USA 
E-mail:  vskormin@binghamton.edu 


Library  of  Congress  Control  Number:  2010931 166 


CR  Subject  Classification  (1998):  C.2,  D.4.6,  E.3,  K.6.5,  K.4,  H.4,  J.  1 


LNCS  Sublibrary:  SL  5  -  Computer  Communication  Networks  and 
Telecommunications 

ISSN  0302-9743 

ISBN- 10  3-642-14705-4  Springer  Berlin  Heidelberg  New  York 

ISBN- 1 3  978-3-642- 1 4705-0  Springer  Berlin  Heidelberg  New  York 


'I'his  work  is  subjcci  to  copyright.  All  rights  are  reserved,  whether  the  whole  or  part  ol  the  material  is 
concerned,  specifically  the  rights  of  translation,  reprinting,  re-use  of  illustrations,  recitation,  broadcasting, 
reproduction  on  microlilms  or  in  any  other  way.  and  sloragc  in  data  banks.  Duplication  of  this  publication 
or  parts  thereof  is  i^crmiltcd  only  under  the  provisions  of  the  German  Copyright  Law  of  Septemlxrr  9.  196.'5. 
in  its  current  version,  and  permission  for  use  must  always  he  obtained  from  Springer.  Violations  are  liable 
to  prosecution  under  the  German  Copyright  Law. 

springcr.com 

©  Springer- Verlag  Berlin  Heidelberg  2010 
Printed  in  Germany 

Typesetting:  Camera-ready  by  author,  data  conversion  by  Sc  lent  die  Publishing  Services.  Chennai.  India 
Printed  on  acid-free  paper  06/.3 1 80 


Preface 


This  volume  contains  papers  presented  at  the  5th  International  Conference  on  Mathe¬ 
matical  Methods,  Models  and  Architectures  for  Computer  Network  Security 
(MMM-ACNS  2010)  held  in  St.  Petersburg,  Russia,  during  September  8-10,  2010. 
The  conference  was  organi/.ed  by  the  Institution  of  the  Russian  Academy  of  Sciences 
St.  Petersburg  Institute  for  Informatics  and  Automation  of  RAS  (SPIIRAS)  in  coop¬ 
eration  with  Binghamton  University  (SUNY). 

The  previous  conferences  in  the  series  (MMM-ACNS  2001,  MMM-ACNS  2(X)3, 
MMM-ACNS  2(X)5  and  MMM-ACNS  2(X)7)  organized  by  SPIIRAS  and  Binghamton 
University  (SUNY)  demonstrated  the  great  interest  of  the  international  scientific  community 
in  the  theoretical  and  practical  aspects  of  computer  network  and  information  security. 

MMM-ACNS  2010  provided  the  next  international  lorum  for  sharing  original  re¬ 
search  results  among  specialists  in  fundamental  and  applied  problems  of  computer 
network  .security.  A  total  ol' 54  papers  from  19  countries  related  to  significant  aspects 
of  the  theory  and  applications  of  computer  network  and  information  security  were 
submitted  to  MMM-ACNS  2010:  16  papers  were  selected  for  regular  and  6  for  short 
presentations  (30%  of  acceptance  for  full  papers  and  40%  for  all  papers). 

Six  technical  .sessions  were  organized,  namely:  security  modeling  and  covert  chan¬ 
nels:  security  policies  and  formal  analysis  of  security  properties;  authentication, 
authorization,  access  control  and  public  key  cryptography:  intrusion  and  malware 
detection;  security  of  multi-agent  systems  and  software  protection;  adaptive  security, 
.security  analysis  and  virtualization.  The  MMM-ACNS  2010  program  was  enriched  by 
papers  presented  by  five  di.siinguished  invited  speakers:  Herve  Debar  (Institut  Tele¬ 
com  -  Telecom  SudParis,  France).  Dieter  Gollmann  (Technical  University  of  Ham- 
burg-Harburg,  Germany),  Greg  Morrisett  (Harvard  University,  USA),  Bart  Prenecl 
(Kalholickc  Univcrsitcit  Leuven,  Belgium),  and  Ravi  Sandhu  (University  of  Texas  at 
San  Antonio,  USA). 

The  success  of  the  conference  was  assured  by  the  team  elTort  of  the  sponsors, 
organizers,  reviewers  and  participants.  Wc  would  like  to  acknowledge  the  contribution 
of  the  individual  Program  Committee  members  and  thank  the  paper  reviewers.  Our 
sincere  gratitude  goes  to  the  participants  of  the  conference  and  all  authors  of  the  sub¬ 
mitted  papers.  We  are  grateful  to  our  spon.sor,  the  European  OlTicc  of  Aerospace 
Research  and  Development  (HOARD)  of  the  US  Air  Force,  the  US  Office  of  Naval 
Re.search  Global  (ONRGlobal),  and  the  Russian  Foundation  for  Basic  Research,  for 
their  generous  .support. 

We  wish  to  express  our  gratitude  to  the  Springer  LNCS  team  managed  by  Alfred 
Hofmann  for  their  help  and  cooperation. 


September  2010 


Igor  Kotenko 
Victor  Skormin 


Organization 


General  Chairs 

Rafael  M.  Yusupov  Institution  of  the  Russian  Academy  of  Sciences 

St.  Petersburg  Institute  for  Informatics  and 
Automation  of  RAS  (SPIIRAS),  Russia 
Robert  L.  Herklotz  \js  Air  Force  Office  of  Scientific  Research,  USA 


Program  Committee  Co-chairs 

Igor  Kotenko  Institution  of  the  Russian  Academy  of  Sciences 

St.  Petersburg  Institute  for  Informatics  and 
Automation  of  RAS  (SPIIRAS),  Russia 
Victor  Skormin  Binghamton  University,  USA 


Program  Committee 

Mikhail  Atallah 

Purdue  University,  USA 

Fabrizio  Baiardi 

University  of  Pisa,  Italy 

Cataldo  Basile 

Politecnico  di  Torino,  Italy 

Konstantin  Bczno.sov 

University  of  British  Columbia,  Canada 

Julien  Bourgeois 

University  of  Franche-Comte,  France 

Mariano  Ceceato 

Fondazione  Bruno  Kessler,  Italy 

David  Chadwick 

University  of  Kent,  UK 

Shiu-Kai  Chin 

Syracu.se  University,  USA 

Howard  Chi  vers 

Cranfield  University,  UK 

Christian  Collberg 

University  of  Arizona,  USA 

Miguel  Correia 

University  of  Lisbon,  Portugal 

Frederic  Cuppens 

TELECOM  Bretagne,  France 

Dipankar  Dasgupta 

University  of  Memphis,  USA 

Herve  Debar 

Institut  Telecom  -  Telecom  SudParis,  France 

Changyu  Dong 

Imperial  College  London,  UK 

Dennis  Gamayunov 

Moscow  State  University,  Russia 

Dieter  Gollmann 

Technical  University  of  Hamburg-Harburg,  Germany 

Stefanos  Gritzalis 

University  of  the  Aegean,  Greece 

Alexander  Grusho 

Moscow  State  University,  Russia 

Amir  Herzberg 

Bar  Ilan  University,  Israel 

Ming-Yuh  Huang 

Northwest  Security  Institute,  USA 

Su.shil  Jajodia 

George  Mason  University,  USA 

Angelos  Keromytis 

Columbia  University,  USA 

VIII  Organization 


Victor  Korneev 
Klaus-Peter  Kossakowski 
Igor  Kotenko 
Pavel  Laskov 
Javier  Lopez 
Antonio  Mafia 
Fabio  Martinclli 
Gregorio  Martinez 
Catherine  Meadows 
Ann  Miller 
Nikolay  Moldovyan 
Wojeieeh  Molisz 
Monika  Oit 
Vladimir  Oleshehuk 
Slobodan  Petrovie 
Neeli  Prasad 
Bart  Preneel 
Roland  Rieke 

Peter  Ryan 
Andrei  Sabelfeld 
Igor  Saenko 
Ravi  Sandhu 
Victor  Skorniin 
Michael  Smirnov 
Artem  Tishkov 
Bill  Tsoumas 
Shambhu  Upadhyaya 
Alfonso  Valdes 
Vijay  Varadharajaran 
Valery  Vasenin 
Paulo  Verissimo 
Peter  Zegzhda 
Cliff  Zou 


Federal  Enterprise  “R&D  Institute  “Kvant’\  Russia 
Preseeure  Consulting  GmbH,  Germany 
SPIIRAS,  Russia 

University  of  Tuebingen,  Germany 
University  of  Malaga,  Spain 
University  of  Malaga,  Spain 
CNR/IIT,  Italy 
University  of  Mureia,  Spain 
Naval  Research  Laboratory,  USA 
University  of  Missouri  -  Rolla,  USA 
SPIIRAS,  Russia 

Gdansk  University  of  Technology,  Poland 
Cybernetiea,  Estonia 
University  of  Agder,  Norway 
Gjpvik  University  College,  Norway 
Aalborg  University,  Denmark 
Katholieke  Universiteit  Leuven,  Belgium 
Fraunhofer  Institute  for  Secure  Information  Technology 
SIT,  Germany 

University  of  Luxembourg,  Luxembourg 
Chalmers  University  of  Technology,  Sweden 
SPIIRAS,  Russia 

George  Mason  University  and  NSD  Security,  USA 
Binghamton  University,  USA 
Fraunhofer-Gesellsehaft  Institute  FOKUS,  Germany 
SPIIRAS,  Russia 

Athens  University  of  Economies  and  Business,  Greece 

Buffalo  University,  USA 

SRI  International,  USA 

Macquarie  University,  Australia 

Moscow  State  University,  Russia 

University  of  Lisbon,  Portugal 

St.  Petersburg  Polyteehnieal  University,  Russia 

University  of  Central  Florida,  USA 


Reviewers 


Mikhail  Atallah 
Fabrizio  Baiardi 
Cataldo  Basile 
Konstantin  Beznosov 
Julien  Bourgeois 
Mariano  Ceecato 
David  Chadwick 
Shiu-Kai  Chin 
Howard  Chivers 


Purdue  University,  USA 
University  of  Pisa,  Italy 
Politeenieo  di  Torino,  Italy 
University  of  British  Columbia,  Canada 
University  of  Franehe-Comte,  France 
Fondazione  Bruno  Kessler,  Italy 
University  of  Kent,  UK 
Syracuse  University,  USA 
Cranfield  University,  UK 


Organ  i/alion 


IX 


Christian  Collberg 
Miguel  Correia 
Frederic  Cuppens 
Dipankar  Dasgupta 
Herve  Debar 
Pierpaolo  Degano 
Changyu  Dong 
Dennis  Gamayunov 
Dieter  Gollmann 
Stefanos  Gritzalis 
Alexander  Grusho 
Amir  Herzberg 
Ming-Yuh  Huang 
Sushil  Jajodia 
Karthick  Jayaraman 
Angelos  Keromytis 
Markulf  Kohlwciss 
Victor  Korneev 
Klaus-F^eter  Kossakowski 
Nieolai  Kuntze 

Pavel  Laskov 
Antonio  Mafia 
Fabio  Martinelli 
Gregorio  Martinez. 

John  McDermott 
Catherine  Meadows 
Nikolay  Moldovyan 
Wojciech  Molisz 
Monika  Oit 
Vladimir  Oleshehuk 
Slobodan  Petrovie 
Nccii  Prasad 
Bart  Prcnccl 
Willard  Thor  Rafnsson 
Roland  Rieke 

Alejandro  Russo 
Peter  Ryan 
Andrei  Sabelfeld 
Igor  Saenko 
Ravi  Sandhu 
Michael  Smirnov 
Zaharina  Stoynova 

Artcm  Tishkov 
Bill  Tsoumas 


University  of  Arizona,  USA 
University  of  Lisbon,  Portugal 
TELECOM  Bretagne,  France 
University  of  Memphis,  USA 
Inst  it  Lit  Teleeom  -  Telecom  SudParis,  France 
University  of  Pisa,  Italy 
Imperial  College  London,  UK 
Moscow  Stale  University,  Russia 
Technical  University  of  Hamburg-Harburg,  Germany 
University  of  the  Aegean.  Greece 
Moscow  Slate  University,  Russia 
Bar  Ilan  University,  Israel 
Northwest  Security  Institute,  USA 
George  Mason  University,  USA 
Syracuse  University,  USA 
Columbia  University,  USA 
Kalholieke  Universileit  Leuven,  Belgium 
Federal  Enterprise  "‘R&D  Institute  “Kvant",  Russia 
Preseciire  Consulting  GmbH,  Germany 
Fraunhofer  Institute  for  Secure  Information  Technology 
SIT,  Germany 

University  of  Tuebingen,  Germany 
University  of  Malaga,  Spain 
CNR/1  IT,  Italy 
University  of  Murcia,  Spain 
Naval  Research  Laboratory,  USA 
Naval  Research  Laboratory,  USA 
SPIIRAS,  Russia 

Gdansk  University  of  Technology,  Poland 
Cybernclica,  Estonia 
University  of  Agder,  Norway 
Gj0vik  University  College,  Norway 
Aalborg  University,  Denmark 
Katholickc  Universileit  Leuven,  Belgium 
Chalmers  University  of  Technology,  Sweden 
Fraunhofer  Institute  for  Secure  Information  Technology 
SIT,  Germany 

Chalmers  University  of  Technology,  Sweden 
University  of  Luxemhourg,  Luxembourg 
Chalmers  University  of  Technology,  Sweden 
SPIIRAS,  Russia 

George  Mason  University  and  NSD  Security,  USA 
Fraunhofer-Gesellsehafl  Institute  FOKUS,  Germany 
Fraunhofer  Institute  for  Secure  Information  Technology 
SIT,  Germany 
SPIIRAS,  Russia 

Athens  University  of  Economics  and  Business,  Greece 


X 


Organization 


Shambhu  Upadhyaya 
Alfonso  Valdes 
Valery  Vasenin 
Paulo  Verissimo 
Peter  Zegzhda 
Cliff  Zou 


University  at  Buffalo,  USA 

SRI  International,  USA 

Moscow  State  University,  Russia 

University  of  Lisboa,  Portugal 

St.  Petersburg  Polytechnical  University,  Russia 

University  of  Central  Florida,  USA 


Table  of  Contents 


Invited  Papers 

S(Tvic('  Dopendeiicics  in  Infori nation  Systems  Secnriiy . 

llm^e  Debar.  Nizar  Khrir.  Nora  Cuppens-Bonfafna.  and 
Fredihic  Cnppriis 


StH  iire  Applications  without  St'cnre  Infrastriictun's .  21 

Dieter  Golliuain} 

Iiile^raliiig  Types  and  S]iecilications  tV)r  Secure  Soltwan' 

Development .  32 

Greg  Mojrisdf 

Cryptograpliy  for  Network  Stnairity:  F'aihires,  Sncct'sses  and 

Cliall(aig(\s .  3() 

Bart  Pirn  eel 

Gronp-Centri(‘  Modtds  for  Sc'cnre  and  Agih'  Information  Sharing .  55 

Ravi  SaiuUiu.  Ram  Kridnian.  Jianwei  Nni.  and 
Wrllimn  If.  Wni.shoimigh. 


Security  Modeling  and  Covert  Charniels 

A  Prc'diclive  Model  for  Cache-Based  Side  Chamu'ls  in  Mnltieore  and 


Mnltithrt'aded  Microprocc'ssors .  70 

Leonid  Doinnit.ser.  Nael  Abu-Gh.azalrh,  and  Dmitry  Poimmarcv 

Attack  and  Dt'h'iise  Modeling  with  BDMP .  86 

Ludovie  Pieire-Cambacede.s  and  Mare  Bouis.sov 

QoS-T:  ejoS  Throttling  to  Eli(‘it  User  Cooperation  in  (\)nipnter 

Systems  .  102 

Vidyaramnn  Sankaranarayanan.  Shambku  Upadhyaya,  and 
Kevin  Kiviat 

Problems  of  Modeling  in  the  Analysis  of  Coven  t  Channels .  118 

Alexander  Ginisho,  Nikolai  Grusho,  and  Elena  Timonma 


Security  Policies  and  Formal  Analysis  of  Security 
Properties 

Policy-Hasc'd  Design  and  VcTificatioii  for  Mission  Assurance' .  125 

Shiu-Kai  Chin,  Sarah  MneeiOy  Snsan  Older,  and 
Thomas  N.J.  Vestal 


XII 


Table  of  Cont(Mits 


Using  E(iuival(niro  Relations  for  Corrective  Enforcement  of  Security 

Policies .  1,‘59 

Raphael  Khoury  and  Nadia  Taidn 

Model  Checking  of  Location  and  Mobility  Related  Security  PoIi(  y 

Specifications  in  Aiiihieiit  Calculus .  155 

Devriin  Uriah  Ozan  Akar,  and  M.  UJuk  Caglayan 

Authentication,  Authorization,  Access  Control  and 
Public  Key  Cryptography 

Credentials  Manageineiit  for  High-Value  Transactions .  1G9 

Glenn  Benson,  Sfmi-K ai  Chin,  Scan  Croston, 

Karthick  J ayarainan,  and  Susan  Older 

A  New  Hard  Problem  over  Non-coinniutative  Finite  Groups  for 

Cryptographic  Protocols .  185 

Dmiiiiy  N.  Moldovyaji  mid  Nikolay  A.  Moldovyan 

Credential  Chain  Discovery  in  RT^  Trust  Management  Language .  195 

Krzysztof  Sacha 

Geiic'tic  Optimization  of  Access  Control  Schemes  in  Virtual  Local  Area 

Networks .  209 

igor  Saenko  and  Igor  Kotenko 

Intrusion  and  Malware  Detection 

Intellectual  liitnisioii  Dc'tection  with  Sequences  Aligimieiit  Methods  ....  217 

Yaroslav  A.  Markov  mid  Afaxim.  O.  Kalinin 

Syniptoiiis-Hased  Detection  of  Bot  Processes .  229 

Jose  Andre  Morales,  Erhan  Kmialtepe,  Shouhuai  Xu,  mid 
Raxn  Sandlin 

A  Comparison  of  PVatiirc'-Selectiou  Methods  for  Intrusion  Detc'ction  ....  242 

Hai  Thanh  Nguyen,  Slobodan  Pctrovic,  and  Katrin  Franke 

From  NLP  (Natural  Language  Processing)  to  MLP  (Mac'hiiie  Language* 

Procc'ssing)  .  25G 

Peter  Teuji,  Udo  Payer,  and  Guenter  Lackner 

Security  of  Multi- agent  Systems  and  Software 
Protection 

Secure  Multi- Agcmt  System  for  Multi-Hop  Environments .  270 

Stefan  Kraxberger,  Peter  Danner,  and  Daniel  Hein 


Table  of  Contents  XI II 


111  the  TVaek  of  the  Agent  Protection:  A  Solution  Based  on 

Cryptographic  Hardware .  281 

Antonio  Ahinoz,  Antonio  Mana,  and  Pablo  Anton 

Security  and  Scalability  of  Heinote  Enti listing  Protec  tion .  298 

Vasily  D(  snitsky  and  lyor  Kotenko 

Adaptive  Security,  Security  Analysis  and 
Virtualization 

A  Novc'l  Cenetic  A])i)roach  to  Provide  Different iatc'd  Lc'vcds  of  Service 

Hesilicnicc'  in  IP-MPLS/WDM  Networks  .  d()7 

Wojeiecli  Molisz  and  dacek  Hak 

Predictive  Sc'cnrity  Analysis  for  Kvent-Drivc'ii  Processes .  321 

Roland  Rich'  and  Zaliarina  Stoynova 

Virtual  Knviroiiineiit  Security  Modeling .  329 

Dmitry  Z(yzhda  and  Ekaterina  Riidina 

(darifyiiig  Integrity  Control  at  the  Trusted  Infonnatioii  EiivironnieiU  .  .  .  337 

Dmihif  F.  Zeyzhda^  Peter  D.  Zeyzhda,  and  Maxim  O.  Kalmin 

Mo 


Author  Index 


Service  Dependencies  in  Information 
Systems  Security 


llcM’vo  Debar \  Nizar  KluMr*^,  Nora  Ciipp('iis-Boiilaliia‘^.  and  Kredorio  CiipjK'iis*^ 

^  Laboratoiie  SAMOVAR  UMR  5137.  Teldconi  Sn(ll\*ui.s. 

9  riic  (duiilc's  Fourier  91011  Evry.  Franri' 
herve . debarOtelecom-sudparis . eu 
^  Teleeoiii  Iketagiu',  2  riic  do  la  Cliataigiioraie, 

35512  Ce.ssoii  ScH  igiie  Cc'dex,  Franco 

{nizar .  kheir  ,nora.  cuppens ,  f  rederic .  cuppens}(atelecom“bretagne  .  eu 


Abstract,  hi  tlu'  coiiiphw  world  of  inforinatioii  sc'rvice.s,  we  are  realizing 
that  system  dependencies  upon  oik*  another  have*  not  only  operational 
implications  but  also  security  implications.  These  .security  implications 
are  innltifold.  Beyond  allowing  an  attacker  to  propagate  ovi'i*  an  informa¬ 
tion  .system  by  leveraging  st('i)i)ing  stones  vuliK'rabilities.  it  also  allows 
a  defender  to  select  the  most  inten'sting  (*nforcement  points  for  its  poli- 
ek’s.  ov(*rall  rc’ducing  the  cost  of  managing  the*  s('cnrity  of  these,  complex 
.systems.  In  this  paper,  we  i)r(*sent  a  dependency  model  that  has  Ix'en  de¬ 
signed  for  the  purpose  of  providing  st'curit  v  operators  with  a  (iiiantitatlve 
(h’cision  support  system  for  d(*j)loying  and  managing  security  policies. 


1  Introduction 

Today’s  world  of  iiiforiiiatioii  services  i.s  beconiiiig  more  and  iiion*  reliant  on 
a  web  of  interconnected  *'iiiiitary’'  st'rvict's,  wlio.sc*  composition  forms  tlu'  basis 
of  so-called  Web  Servici's.  In  fact,  this  notion  of  servict*  composition  can  be* 
('xtend('d  to  any  iiifonnation  systcun.  wIk'IH*  the  simjih'st  form  of  application 
((‘.g.  a  word  proces.sor)  rolic.s  on  an  operating  system,  itself  relying  on  a  sc't 
of  hardware  components  to  provide'  the  capability  to  display,  modify,  store  or 
l)rinl  doenmonts.  d  lu'  value  to  n.sers  is  the  docmii(*iits.  not  any  of  the  tmdcrl>  ing 
services,  and  the  iise'r  often  only  realizes  the  value  of  the  word  pnxH'SSor  software, 
including  all  iiiiderlying  coin]ooiieiits  within  this  value. 

There  have  been  many  efforts  to  model  iiifonnation  systems  and  their  servicH's, 
including  depe'iuh'iicies.  Modediiig  is  in  faed  oik*  of  tin*  most  common  tools  used 
in  comput(‘r  science,  for  exanijile  the  Turing  machine  [1]  or  the  Von  Neuman 
compiit('r  [2].  These*  modc'ls  have  been  n.sed  to  understand  the  properties  of  the* 
modok'd  information  system  and  are  largely  used  today,  for  ('xample  in  policy- 
ba.sed  manageiiK'nt  in  networks  [3,4].  C)nr  work  fully  embrace's  the  definitiems  e)f 
F^olicy  Eiiforcenient  Point  (PEP)  anel  Policy  De'cision  Peiint  (I^DP)  as  ele*fincd  in 
HFC'2748  [4]. 

Our  weirk  target  a  specifie*  snl>-pre)l)lem  of  policy-base'el  inanagement .  We*  wish 
to  iiie)el(*l  anel  use  the  de'i)e'ndene-ie*s  that  naturally  e'.xist  betwe*e'ii  the*  e‘e)mponents 

I.  K«iU  iiko  and  V.  Skt)nnin  (Fds.):  MMM-ACNS  2010.  LNC’S  ()2r)S,  pp.  1  20,  2010. 

0  SpriiiK<’r-\^<*rlag  Bfi  lin  Heidelberg  2010 


2 


II,  Debar  (‘t  al. 


of  an  iiiforiiiation  systoni.  The  model  expressed  above  of  a  standalone  coinpiitc'r 
is  very  detailed,  we  can  construct  coarser  or  finer  models,  but  in  any  case  we 
will  obtain  a  model  wluTe  a  user  enters  a  particular  service  and  will  trigger  a 
set  of  dc'pendeiit  actions  for  the  realization  of  such  service.  Given  the  wealth  of 
existing  models  using  graph  tlu'ory,  petri  nets  and  otlier  relatc'd  formalisms,  we 
b(dieve  that  the  exist('nce  of  these  relations  expressed  as  dei)eiidenci('s  is  well 
establislu'd. 

We  fiirtherniore  a-ssnine  that  these  dej)endencies  have  scnairity  implications. 
For  at  lOfLst  some  of  them,  a  change  in  the  security  status  of  one  of  the  compo¬ 
nents  on  each  side  of  a  dependency  will  imply  a  chang('  in  the  (setairity)  status 
of  the  other  component.  This  implication  has  multiple  con,sec|uenc(?s  and  uses. 
In  the  .scope  of  our  work  on  countermeasures,  we  are  mostly  interested  in  two 
of  them,  finding  the  proper  enforcement  pt)ints  for  specific  security  rules  (which 
then  support  countermeasure  deploynunit),  and  computing  the  impact  of  attacks 
and  coniit('rineasures  that  propagate  over  an  information  system. 

2  State  of  the  Art  on  Service  Dependency  Models 

2.1  Existing  Dependency  Models 

Modol-ba.sed  nianagc'ineiit  has  recently  emerged  as  an  important  tool  to  manage' 
large  information  .systems  and  networks,  as  well  as  security  properties  [5].  fol¬ 
lowing  this  line  of  work,  or  even  before,  several  models  have  been  proposed  for 
dependency  modeling. 

[6]  presents  an  XML  bas(Hl  dependency  mod(d.  This  model  provides  a  backend 
for  building  a  dependency  database,  witlioiit  providing  a  formal  specification  of 
servi(‘e  dependencies.  [7]  defines  a  dependency  algebra  for  modeling  dependency 
strengths.  It  separates*  the  Dependency  relation  from  the  Use  relation.  It  states 
that  critical  components  should  only  use  and  not  depend  on  non-critical  coni{)o- 
nents.  In  [8],  a  UML- based  de])endency  model  desc'ribes  service  dependeiuues  in 
ad  hoc  systems.  It  focuses  on  the  dependencies  n'levant  to  ad  hoc  collaborative 
environments.  Moreover,  a  service'  dependency  classification  for  system  manage¬ 
ment  analysis  is  provided  in  [9].  It  s('i)arates  between  functional  (implementation- 
independent)  and  structural  dependencies  (implementation-dei)endent). 

More  closely  related  to  security,  an  intruder  uses  the  privileges  obtained  on 
the  target  service  in  order  to  iiu  rease  his  benefits  [10]  in  service  oriented  ar- 
chiU’cturcs.  Intrusions  are  compared  to  black  stains  which  spri'ad  in  the  system 
through  the  dependencies  available  due  to  attack  success.  An  intrusion  impact 
thus  i)ropagates  through  some  depc'iidencies  to  the  target  service,  but  not  all 
dependencies.  Existing  tree  or  graph-based  service  d('p('ndency  models  do  not 
represent  conditional  impact  propagations  because  they  do  not  implement  the 
I)rivileges  which  may  hv  obtained  by  successful  attackers  on  target  servi(*es.  Fur¬ 
thermore,  this  model  limits  itself  to  the  propagation  of  the  attacker,  not  of  the 
impact  of  the  attac'k. 


Service  Dependencies  in  Information  Syst.f’ins  Security 


2.2  Cost  Propagation  and  Response  in  Service  Dependency  Models 

Mor('  recently,  sevc'ral  researchers  have  focused  on  the  evaluation  of  impact  pro])- 
agation  rathca*  than  attacker  j)r()j)agation.  [11]  j)rovi(les  a  cost-sensitive  approach 
for  halaneiiig  between  intrusion  and  res])onse  costs.  A  systenn  inaj)  holding  de- 
luaidency  information  is  used  as  a  basis  for  deciding  on  response  strategy.  [12] 
pro]K)S(*s  a  function  which  evaluates  intrusion  resi)ons('  ini])a(*ts  using  depcai- 
dency  trees.  It.  allows  a  cost-s(Misitive  .selection  of  intrusion  res])onses.  Another 
eost-sensitive  analysis  of  intrusion  res])onses  is  ])resented  in  [Idj.  It  list's  d(*p('n- 
dt'iicy  graphs  instead  of  dept'ndeney  trees.  Service  deix'iidencies  are  also  used 
for  fault  analysis  [14],  d('j)endal)ility  analysis  [15]  and  many  otlu'r  applications. 

As  in  [16],  informing  tlu'  r(*s])()ns('  process  starts  with  an  ac('nra.t('  asst's.sment 
of  intrusion  impacts.  Wliik*  attack  graphs  tract'  tlei)t‘ntl('ncit'S  betwet'ii  elt'mt'ii- 
tary  stt'ps  ct)nstitiiting  an  ('X])lt)it  j)lan.  t'aeh  stc])  is  t)nly  assignetl  an  abstract 
ct)st  [17, 18,19].  Unless  relying  on  ex])ert  knt)wlt'tlgt‘,  nt)  ft)rmal  a])j)r()ach  tt)  t'val- 
natt'  elementary  costs  is  |)rt)vitlt*tl.  It  has  been  sht)wn  that  st'rvice  tlej)entlt'neies 
l)rt)vitle  a  snitablt*  ])lati()rm  ft)r  reast)ning  abt)ut  intrnsit)n  imj)acts  [20,21.22,23]. 

Whilt'  we  art'  clt'arly  inscribetl  in  this  line  of  work,  conventional  st'rvice  tlt‘])t'n- 
tlt'iicy  models,  by  intvotlucing  st'vvires  as  black  l)t)xt‘s  regrt)nj)t‘tl  in  tret'  [23]  or 
graph  [20,21.22]  I)a.setl  structures,  are  unable  tt)  catch  the  wav  intrusion  impacts 
s])reatl  in  the  system.  Insteatl,  t  hey  provide  only  means  for  ])roi)agat  ing  availabil¬ 
ity  im|)acts,  but  nt)t  ct)nhtlentiahty  nt)r  integrity.  We  argnt'  that  tt)  bettt'i*  assess 
intrusion  impacts,  a  representation  of  service  tlei)t'ntlt‘ncit's  which  includes  mort' 
than  the  only  inft)rmatu)n  abt)ut  dependency  strengths  is  requiretl.  This  is  the 
rea,son  why  wt'  intrt)dut‘e  the  nt)tit)n  t)f  ])rivileges  in  st'ctit)!!  3.2. 

2.3  Requirenients  for  Dependency  Modeling 

The  existing  dependency  motlels  such  as  graph  [11, 13, 12]  t)r  elas.s- based  [8]  mt)tl- 
els  chissity  service  tle])entleneies  using  static  attributes.  The.se  art'  t)ftt'n  inft)r- 
mally  tlt'hnetl,  atlapted  to  t)nly  s])ecifie  system  im|)lementatit)ns,  prt)nt'  tt)  i.ssnes 
rt'latetl  tt)  Iht'ir  t'xj)rt'ssivt'ness  and  the  dependency  eharaeteristies  they  mt)tlt'l. 
The  tlt‘t*isit)n  ])roct'.s.s  nt'ctls  to  knt)w  more  than  just  the  existt'iit't'  of  a  certain  dt'- 
|)t'ntlt'ncv  anti  its  .strength.  It  nt'eds  to  motlel  full  chains  of  relationships,  taking 
intt)  account  how,  when  anti  why  a  tlej)entleney  is  activatetl.  It  must  alst)  support 
tilt*  attributit)!!  t)f  security  pro])ta*tie.s  tt)  tlit'se  tlt'pentlencit's,  to  ensiirt*  that  the 
tliflerent  effects  of  attacks  art'  j)ro])erly  int)tleled  anti  j)ropagatt'tl. 

On  the  t)ther  hantl,  the  proposed  modeling  framework  must  enable  the  re- 
grtniping  t)f  elemt'Utary  st'rvices  into  tlepentlencv  blocks  with  well-tlehnetl  inter¬ 
faces.  Tht)st'  blocks  can  be  im])lenit'nted  in  other  dt'|)entlencv  blocks,  and  thus 
])rovitling  rt'nsability  t)f  the  tle[)entlencv  mt)tlel.  It  must  also  allt)w  tht'  abstraction 
of  certain  tlepentleneies,  and  thus  representing  only  the  tle])entlencies  relevant 
ft)r  tht*  aj)j)hcatit)u  pnrpt).st's.  This  capacity  ft)r  nmlti-level  modeling  is  ini])era- 
tivt'  tt)  ensnrt'  that  the  prt)j)t)setl  models  rt'inaiii  at'tit)nable,  i.e.  that  they  can 
be  untlerstood  that  the  operators  that  will  need  to  put  in  i)ractice  tht'  results 
obtaintxl.  Our  tibjt'ctivt*  bt'ing  tl('cisit)n  snp])ort  for  security  operators,  we  must 
t'nsiire  that  modeling  is  a  mean  to  this  end  anti  not  an  end  by  itself. 


4 


H.  Debar  el  al. 


This  paper  provides  a  formal  representation  of  service  dependencies.  It  en¬ 
ables  the  inline  ('valuation  of  intrusion  eosts  using  both  the  inivilegos  realized 
on  the  target  s(u  vice  and  its  d('pendeiieies.  The  notion  of  privih'ge  enables  the 
distinction  of  availability  impacts  from  those  of  confidentiality  and  integrity.  In 
the  foriiK'r,  the  attackc'r  revokes  some  privileges  to  k'gitiinate  users  (e.g.,  a  DoS 
attack  prevents  user  from  accessing  to  the  denied  server).  In  the  lattcT,  the  at¬ 
tacker  sc'eks  to  acquire  illicit  privileges,  and  thus  to  have  fraudulent  access  to 
some  cissets. 

3  Formal  Dependency  Model 

3.1  Simple  Service  Model 

An  information  service  S  is  generally  delivcu’ed  to  users  through  a  protocol  spee- 
ifieation  dc'seribing  th('  network  interactions,  the  syntax  and  the  semantics  of 
the  messages  deliven'd  to  the  parties  (users  and  service  e(;inponents).  Examples 
of  such  public  specifications  are  the  IETF  recpiests  for  (‘omnicnts  (RFC)  (e.g. 
HTTF^  DNS,  ...)  or  web  services  specifications.  A  model  Ms  of  a  service  S  is  an 
abstraction  describing  S  using  a  .specific  formalism  (in  oiir  c^ise  the  AADL  for- 
inah.sin  [24],  sc'c  Sc'ction  4).  The  model  aims  at  describing  the  arelhteetiire  and 
behavior  of  the  service  while  rciiuiining  easy  to  handle  for  multiple  purposes: 
simulation,  proof  of  propertms.  management,  etc.  This  informal  de.scription  is 
adaptable  to  many  formalisiiis  such  tis  graphs,  petri  nets,  UML  diagrams,  and 
many  oth('rs. 

\Vc  consider  that  a  .service  is  a  somewhat  large  entity  that  is  build  of  smaller 
objects,  also  called  indifferently  components  (for  exaini)le  software  eoinpoiu'iits) 
or  assets  (for  example  information  assets  of  some  value).  Thus,  a  model  is  com¬ 
posed  of  a  set  of  connect(Hl  components  Ci,  some  of  these  components  being 
ba.sic  building  blocs  and  others  being  models  by  th('mselv('s.  In  a  graph  rei)r(v 
.scnitation,  the  components  Cj  would  be  modeled  by  nodes,  and  the  ('oniu'ctions 
between  these  conipoiu'iits  by  edges.  We  also  incliidc'  us('rs  in  our  s('t  of  inter¬ 
acting  compoiKMits,  in  order  to  obtain  a  complete  model  of  the  service.  We  thus 
define  the  set  of  eomponents  Cs  used  in  the  provision  of  sfTvice  S  as  : 

C5  =  {C\,i€{1...7.}}  (1) 

This  equation  only  represents  the  set  of  nodes  of  the  graph,  not  the  ('dges.  To 
introduce  th('  edge's,  w('  define  the  require  relationship  =>  between  two  compo¬ 
nents  Cx  Hiid  Cy  exi)ress('d  as  Cy,  when  Cx  nec'ds  information  from  Cy  in 

order  to  deliver  its  service.  This  require  relationshi])  represents  the  dependency 
of  Cx  over  Cy.  As  specified  in  section  4.2,  Cx  is  the  aiitecx'dent  component  and 
(7y  is  the  dependent  eomponent. 

Thus,  each  component  C^  is  associated  with  two  sc'ts,  the  set  PC,  of  com¬ 
ponents  that  provide  resources  in  order  to  enable  Cj  to  deliver  its  .service'  to 
ns('r.s,  and  the  .set  SC,  of  components  that  rely  on  C,  to  deliver  their  service 
to  users.  The  eomponents  in  PCi  are  the  providers  of  resources  t(^  (7,  and  the 


Service  DopoiKleiicies  in  Infornnit  ion  Systems  Socnrity 


eonij)oiicnts  of  are  the  siib.serihers  of  resoiirees  i)rovi(le(l  by  coiii])oiient  C,. 
This  relationship  is  foniializcd  as  equations  2  and  3. 


PC,  =  {r,  €Cv.r, 

(2) 

5’c,  =  {a.  e  Cs,c,  ^  c,} 

(A) 

and  oiir  model  Ms  in  (inally  defined  as  tlu*  set  of  trii)l('s.  as  shown  in  ecpiation  I  : 

A/s  =  50  )./€  {!...»}}  (1) 

While  there  is  redinidancy  in  the  specification  of  the  model  (components  appear 
in  symmetric  roles,  as  apparent  in  section  4.2).  tliis  is  eciiiivakmt  to  the  specifica¬ 
tion  of  the  connect (h1  input  and  outi)nt  interfaces  for  each  coiiiponeiit  C^.  h^ach 
ronii)oiient  of  PCi  offers  an  input  interface  that  is  comieetcHl  to  the  appropriate’ 
output  interface  of  Cj.  Similarly,  C,  offers  input  interfaces  to  all  eomponc’nts  of 
SCj.  Note  that  the  model  developed  in  section  4  also  allows  the  (k'hnition  of 
interfaces  that  are  not  eonneeted  to  any  other  eomi)onent.  This  cnabk's  to  vic'w 
basic  models  as  building  blocs  that  can  be  ren.sc’d  to  construct  more  complete’ 
.servic’c'  models.  Thus,  the’  i)rop()scd  formalism  is  hierarchical.  A  component  can. 
at  a  lower  level  of  granularity,  be  a  model  itself,  as  long  as  the  interface*  n.sc’d  to 
commimieate  with  it  is  iinicjue  for  all  the  other  eoniponents. 

3.2  The  Privileges  Extension 

In  the  i)revions  model  dc’finition,  we  siini)ly  connect  conipoiu'nts  togethcT  in 
a  graph-like  fashion.  We  now  c^xtend  this  definition  by  adding  the  following 
spc’cifications:  (1)  the  privik'ges  granted  to  the  servicx*  (coiiscMpiently  the  assets 
it  uses).  (2)  the  crc'dentials  accreditcnl  to  this  service  and  (3)  the  trust  it  has 
regarding  other  privik*g(\s  and/or  credentials.  A  eomponent  is  thus  defined  as 
C  ~  T/y-,  C/y*)  where  P/y-.  Trc  and  C/y-  rc'si)ectively  represcnit  the 

privileges,  trust  relationships  and  credentials  imj)iementc'd  by  the  svrviee  (\ 
These  imijlenientations  spc’eify  the  accc'ss  perini.ssions  grant chI  to  a  coinj)onent 
and  configure  the  way  it  interacts  with  other  coini)onc’nts  through  couiikmkmu 
dependencies.  In  the  ix'maining  of  this  section,  we  define  tlu*  notions  of  priv¬ 
ilege*,  credential  and  trust.  Fiirtlier  we  use  tlu'se  (k'finitions  to  inopose  a  new 
representation  of  component  de])en(lencies  and  the  system  model  as  a  whole. 

We  first  d(*fine  an  anthorizat  ion  as  a  logical  light  that  a])pli('s  to  some  assets. 
All  authorization  may  lie  granted  to  a  subjc'ct,  and  thus  we  introduce  the  notion 
of  privilege  to  model  the  gjmit  of  a  permission  to  a  subject.  A  i)rivileg('  is  specihe'd 
by  the  following  rule: 

1  P<.*rin  issU^n  { .Subj  ,  Act  ,  Ohj  ) :  - 

2  P  r  1  V  i  1  c  gc  (  P  1  i  V  )  ,  S  n  hj  or  t  (  I*  ri  v  ,  S  u  I)j  )  , 

:i  A  u  t  hor  i  zat  ion  (  l^ri  V  .  Auth  )  ,  A  c  t  io n  (  A nt  li  .  Ar f  )  ,  Objoc  t  (  A  iM  h  ,  Ohj  )  , 


6 


II.  Debar  et  al. 


A  privilege  speeifies  a  siil)j(‘et  and  an  appropriate  authorization.  The  latter  in¬ 
cludes  an  action  which  api)iies  to  an  object.  We  represent  a  privilege  Priv  de¬ 
tained  by  a  snl)j('ct  Subj  witii  the  notation  Subj.Priv.  It  is  interprc'tc'd  as: 


Siibj.Priv  Privilege(Pnif),  Subjcrf{PriiK  Subj)  (5) 

We  use  privileges  in  order  to  dc'fiiu'  security  objectives  in  terms  of  (‘onfidcmtiality 
(Co),  integrity  (Ig)  and  availability  (Av).  We  argue  tliat  the  assignment  of  CIA 
(Confidentiality,  Integrity,  Availability)  cost  vectors  to  critical  assets,  as  in  [25], 
does  not  provide  enough  expressiveness.  As  discussed  in  [21],  Av  is  not  managed 
the  same  way  as  for  Co  and  Ig.  Co  and  Ig  are  only  related  to  the  asset  to  which 
they  apply,  but  Av  is  related  to  both  the  asset  and  the  entity  which  seeks  access 
to  this  asset. 

We  spc'cify  the  security  objective's  in  terms  of  Co  and  Ig  as  cost  metrics  as¬ 
signed  explicitly  to  the  aj)j)ropriate  assets.  They  are'  eh'flne'el  as  square  cost  vec- 
te^rs  {Cot,  Igi)  which  apply  to  the  cennpement  C,.  The  metric  Co,  (resp.  /ey,)  take's 
a  higher  value  as  the  compromise*  e)f  the  Co  (resp.  Ig)  e)f  C,  pre)ve)kes  higher  le)sses 
te)  the  system. 

The  re'sulting  e'e)st  for  illicitly  ace|iiiring  an  authorization  a  which  applie's  to 
Ci  is  evahiateel  te)  7/m.r(Ca  x  Co,.  x  Igt).  Ca  (resp.  Xa)  is  set  te)  null  whe*n  the 
antimrization  a  does  ne)t  discle)se*  (re*sj).  alter)  the  Co  (resj).  Ig)  e)f  the  ce)mpe)- 
iient  Cj. 

We  spe'cify  security  e)l)je'ctives  in  teTins  e)f  Av  by  assigning  exxst  scalars  te)  j)riv- 
ileges  rather  than  e)bje'cts.  A  privilege  S.Priv  is  thus  critical  if  the  unavailability 
of  the  j)rivilege  Priv  te)  the  eomponent  C  (i.e*.  user)  pi*ovoke\s  highe'r  le)s.ses  to 
the  .system.  While  Ce)  anel  Ig  impacts  arc  evahiateel  ac*ce)reling  to  the  authe)riza- 
tie)ns  illicitly  acquired  by  an  attae'ker,  Av  impacts  arc  evahiateel  ae!ce)reling  te) 
the  privile'ges  whie  h  are  reve)ke*el  to  their  appre)j)riate'  users.  We  thus  dispense*  e)f 
ine)re  granularity  to  evaluate  Av  e'osts  bee  ause  some  j)rivilcges  may  be  eh'iiie'd  te) 
certain,  but  ne)t  all.  u.sers. 


3.3  Privilege  Sharing:  Credential  and  Trust 

A  cre'elemtial  is  an  ‘entitlement  to  i)rivilege‘,  it  is  ne)t  coiipleel  to  an  e)l)jee't.  but  te) 
an  entity  whieh  trusts  this  eTC'eiential  and  share's  in  e'e)unterpart  some  privile'ge's. 
A  cre'elential  thus  e*nabie'S  an  e^ntity  which  is  not  a.ssigneel  some  privile'ge),  te) 
share*  this  privilege*  with  some'  othe*r  entities.  Wc'  introduce  credentials  with  the 
predicate  Credential  which  is  ek)fin(*d  by  the  expres.sie)n: 


Credential  (Cl)  <=^  3(Subj\ ,  Subj2)  :  0?/»ncr(Cr,  Subj\),  Authority{Cr,  Stibj2)  (b) 

In  e)ther  terms,  the  e-re'ele'iitial  Cr  is  granted  te)  the  subjee't  Subji,  and  trusted 
by  the  subject  Subj-2.  We  re'j)re'se*iit  a  credential  Cr  e)wne*el  by  a  subject  Subj 
with  the  ne)tatie)n  Subj.Cr.  It  is  interpreted  as: 


Subj.Cr  <=>  Credential  {Cl'),  Oivncr{Cr,  Subj) 


(7) 


S<Tvi(*('  D<'p('ii(l<'iicio.s  in  Infoniuit ion  Systems  Sc'cnrity 


Wo  dofiiK'  trust  as  an  association  of  a  privilogo  to  bo  sliannl  in  (‘onntorpart  to 
soino  cro(l(Mitials  and/or  |)rivilogos.  Trust  n^lationships  arc'  iinplc'inoiitc'd  as  part 
of  an  antliorization  scliomo  by  which  wt'  may  specify  tho  way  privileges  may  b(' 
shared  botwoc'ii  tho  difforont  subjc'cts  of  a  systoni.  Wo  introduce  tlu'so  relation¬ 
ships  using  tli('  prc'dicato  Ti  ust  which  is  declined  by  t  li('  following  spooi heat  ion. 

1  Trust  (Tr)  (  Sii  bj  ,  1  n  p  ,  Out  )  : 

2  S  11  bjrr  t  (  Tr  .  Sii  l)j  )  .({rant  ro  (  I  r  ,  Out )  ,  P  i  i  v  i  logo  ( Out )  . 

j  r m  si  oo  {  Tr  .  I  n  p  )  ,  C  ml o  ii  t  i  a  I  {  1  ii p  )  V  P  r  f  v  i  I  og f‘  (  I  n  p  )  . 

In  other  terms,  tho  snbjc'ct  Sid)j  iinploinonts  a  trust  rc'lationshii)  by  which  it 
shares  tho  ]>rivilego  Oat  in  counterpart  tcj  th('  trusted  credential  or  privilc'gc' 
hip.  Th('  satisfaction  of  a  trust  rolationshii)  results  in  additional  authorizations 
granted  to  tlio  trusted  subject  (i.e.  tlu'  subject  which  has  th('  trnstc'd  credc'ii- 
(iais  or  privik’ges).  The  satisfaction  of  a  trust  relationsliip  is  formalized  by  tin' 
\i )1  low i ng  spooi fi ea t  ion : 

1  >  Oul  :  T  rns>l  t  'I*i  )  ,  S  ii  1)  j  oc  t  (  Tr  ,  .S n  bj  )  ,  '1' r  ii s  t  oo  (  Tr  .  I n  p  )  ,  CJ  i  an  1  oo  ( 'IT  ,  Out  )  , 

2  S  11  bjoc  t  (  Out  ,  Sii  bj  )  ,  [  P  r  i  V  i  1  f'gi'  (  I  n[)  )  ,  S  u  b j  or t  (  I ii  p  ,  Siihj-2  )  |  V 

i  (  C  r  o  cl  r  11 1  i  a  1  (  I  n  fj  )  .  0\vn<‘r  (  I  n  p  ,  StthJj  )  .Authority  (  I  n  p  .  S  ii  hj  )  | 

Trust  rc'lationships  an'  nsc'd  to  conHgnix'  and  .sc't  accc'ss  control  assocaatc'd  with 
sc'rvicc'  dt'pc'iideiK  ies.  Tlu'  satisfaction  a  de])('ndoncy  is  constraiiu'd  by  tlu' 
imphMiK'iitation  of  aj)])r()])riale  trust  ixdations.  Tlu'se  an'  thrc'atened  by  attackc'rs 
who  try  to  bypass  those  relations. 

4  Model  Formalism  Using  AADL 

4.1  Introduction  to  AADL 

AADL  has  been  standardized  and  n'lea.sc'd  by  the  Socic'ty  of  Automotive'  Eiigi- 
iK'c'rs.  AADL  ])rovidcs  formal  nuxleliiig  concepts  for  the  dc'seription  and  analysis 
of  application  system  architectures  in  terms  of  distinct  components  and  tlu'ir 
intc'rac  tions.  We  ]xivilcgc'd  AADL  ov(*r  common  modeling  language's  like  UML 
be'eTviise  AADL  provieie's  me^re  powe'rful  fe'atnre\s  for  mejeleling  system  rnntime  be'- 
haviors.  AADL  ])rovide*s  standardized  tc'xtnal  and  graphical  notations  for  moele'l- 
ing  systems  and  the'ir  rime  tional  intea  face's.  It  has  be'cii  de'sigiu'd  to  be'  e'xte'iisible 
so  that  analy.sc's  that  the  core  language  elex's  not  siip|)e)rt  can  be  sn])])li('el.  The' 
ewtensibilit v  in  AADL  is  provided  thre:)ngh  the  Annex  e'Xte'iision  ce)nstrne“t. 

Onr  AADL  Irame'weirk  meielels  ii.se'i*  rnntime'  be'havie)rs  wln'ii  acc'essing  the  elata 
prewiele'el  by  ele'])enelent  serviex's.  It  ex^ntrasts  with  most  fnnetiexial  depeaiele'iicy 
models  since'  it  fe)eMise's  eiii  the'  data  fleiws  <is.se)eiate'el  with  the*  aexx'ss  te^  a  ele'- 
pe'iident  serviee  rathe'r  than  e)n  tho  me)ele'l  e)f  its  fnne‘tie)nal  ele'pe'iiele'iicie's.  This 
is  a  ke'v  ee)nex'pt  in  onr  approach  since'  ])e)licv-elriven  re'sponses  rexpiire  pedicy 
e'nfe)iTe'me'nt  pe)ints  te)  deny  se)me'  e)f  these'  elata  Hexvs. 

Sine  e  e)nr  appre:)ach  focuses  on  in  forma  tie)n  systems  se'eairity,  we'  generally  ave)iel 
te)  model  functional  ele'pe'iiele'iu'ie'S  if  these  de'pendeue  ies  dei  not  prewiele  a  way  te) 
alte'i  or  e‘nfe)re  e  se'cnrity  proper  ties.  We  for  e'xaniple'  raix'ly  incluele  a  ele'pe'iiele'iie  > 
bed  ween  seTtware  anel  the  nnele'iiying  harelware  platform,  anel  will  alse)  ignore'  the' 


8 


H.  Debar  et  al. 


operating  systcnn  if  it  is  not  part  of  the  managed  environment  (e.g.  in  a  cloud 
coinputiiig  environment).  We  also  rarely  model  network  link  properties,  unless 
filtering  devices  partition  the  network  in  zoiu's  with  different  traffic  policies. 

We  thus  model  servit^es  as  abstractions,  and  these  are  decoupled  from  the 
concrete  components  which  realizi'  them.  Our  decision  can  be  best  motivfxted  by 
the  fact  that  ('oiu'ic'te  components  only  introduce  functional  (h'pendencies  which 
are  not  relevant  in  our  approach.  For  instance,  a  web  scTvice  is  defined  through 
its  (lepeiidencies,  independently  whether  it  is  implemented  by  apache2  serv('r  or 
windows  web  server.  We  use  for  this  purj)ose  AADL  system  abstractions. 

AADL  models  (h'pendeiieies  using  inter-coinponeiit  connections.  AADL  con¬ 
nections  rc'produce  the  service  topology.  They  allow  modeling  iiiultiplo  service 
paths  through  tlu'  use  of  multiple  connection  paths  to  the  same  data.  We  also 
use  AADL  operational  modes  in  ordcT  to  represent  the  dependency  secpumcing 
(luring  the  workflow  of  the  dependent  service. 

We  use  tlu*  AADL  Error  Model  Annex  [2G]  which  has  al.so  been  standardizc'd 
to  add  features  for  moch'ling  tlu'  syst(nn  l)(diavior  in  the  pres('nc(‘  of  faults.  We 
use  faults  as  model  constructs  in  order  to  rc'present  the  behavior  of  a  dependent 
service  when  it  can  not  access  to  the  anteci'dent  servicf'  due  to  a  resi)on.se  ap¬ 
plication.  In  the  remaining  of  this  s('ction,  we  describe  the  main  elements  of  our 
AADL  dependency  model. 

4.2  Specification  of  Dependencies  in  AADL 

We  define  a  scTvice  as  the  inii)l(^ni(mtation  of  an  interface  which  provides  data 
access  to  its  users  ((‘.g.  Web  service',  IP  service).  A  service  often  requires  acce'ss 
to  subsidiary  data  during  its  normal  bcdiavior.  It  is  thus  identifie'd  through  the 
specification  of  its  requiri'd  and  i)rovided  data  accesses.  We  model  an  elementary 
service  in  AADL  as  a  black  box  with  specific  requires /provides  interfaces.  Each 
interface  (‘iiabk's  a  si)e(:ific  data  ac(‘ess,  either  r(*c|uired  or  provich'd  by  the  service 
(see  Figure  1).  We  may  add  constraints  betwe^en  data  required  and  provide'd  by 
a  servu'e  (e.g.  the  n'qiiin'd  account  is  the  owner  of  the  providixl  data).  Thi'sc'  an^ 
expressed  as  predieati's  assigiu'd,  when  iiec^essary,  to  the  ( orr(\s]:)onding  interface's. 

Se'rvice  A  d('p('nds  on  servico  B  when  A  requirt's  data  acc('ss  which  is  provich'd 
by  B,  A  is  the  dependent  service,  and  B  is  the  antecedent  service.  The  failure  of 

1  - hupleinrutat  ion  of  elementary 

fiervtre  — 

2  systom  Scr  vicc-N  aino 

.3  features 

4  KFl  :  requires  data  access  data.Sot 

G  RFn  r  requires  data  a  c  cress  data.Set 

7  PFl  :  providers  data  access  data.Set 

8  .  .  , 

9  PFin:  provides  data  access  d al  a.Se t  _p in  :  P rovides  Juta  aci  vi.s 

i()  end  Service-Name; 


Requires  data  access 


J 


r?  r? 

-rl  ; 

^RHI  kK2 

RFn^ 

Service 

_name 

_r n  , 

-p  1  ; 

PFl  pf: 

PFm 

J 

Fig.  1.  Eh'iiieiitary  St'rvict^  defiiiitioii 


Service  Dopciidoiicies  in  liiforiiiatioii  Systems  Security 


9 


B.  duo  to  ail  attack  or  a  rosponso,  provoiits  it  from  ])rovi(ling  the  data  ri'qiiirod 
by  A.  Tlio  j)ro])or  behavior  of  A  is  thus  coiiditioiiod  by  the  i)ropor  behavior  of 
B  Required  data  accesses  enable  dependency  compliance  check;  A  may  neven* 
(l('j)end  on  a  D  if  the  data  access  ])r()vided  by  B  is  not  required  by  A.  flow('V('r. 
a  required  data  acci'ss  does  not  necessarily  im])ly  tin*  need  for  a  dependency, 
bc'canse  this  accc'ss  can  be  managed  by  the  service  itself.  For  instance,  a  mail 
delivery  service  requires  access  to  user  accounts.  Tli(\se  can  be  managed  locally 
by  tlu^  service  (passwords  file),  or  remotely  accessed  tliKnigh  a  din'ctory  servi(‘(\ 
Only  the  latter  case  ini])lies  a  (U'pendency  for  the  dirc'ctorv  .service. 

We  model  tlu'  d('i)end(nicy  of  service'  A  to  service  B  by  coinu'cting  the  provides 
interface  of  B  to  its  com])lenK’ntary  requires  interface  of  A.  The  AADL  model 
dux  ks  tlu’  c()m])lianc('  of  this  d(’])end('iicy  by  verifying  that  the  access  rc'quirexl 
by  A  corre'sponds  to  the  access  j^irovided  by  B  (see  Figure  2). 

1  sy  st  eiii  i  in  j>  U*  in  (•  n  t  at  io n 

Depetidi^iu  y _M odt'l  A 

2  snbt  oinporiotits 
A:  .system  dependent; 

4  B;  system  antecedent, 

r,  <  on  net  t  ions 

fi  const  _AB:  data  acc'ess  B.PF'l  — >  A.HFl 

7  I'lid  Dependency-Model  ,  A  ; 

Fig.  2.  Explicit  Service  Dopeiuloiicy  Representation 


K«i|uirr<  da  la 
acccKs  (1u(a  Sol  r  t 


Pri)vido<[  data 
a  0 1'  0  ^  d  a  I  a  Set  i ) 


In  th('  formalism  of  section  3.1,  S  =  {A,  B\  according  to  ('qiiation  I,  PC\\  — 

{B}.  .STA  -  0,  PCb  =  0,  SCn  =  {A},  and  .S’  -  {(A,  {/i^}  ,0),  (/T 0,  {A})} 

according  to  etpiation  1. 

5  Dependencies  Properties 

We  defiiK'  the  following  dej^iendeney  eharacterist  ics. 

Dependency  type  defines  tlu'  path  of  the  network  flow,  and  describes  the  data 
a.ssets  exchaiigt'd  between  the  dependent  and  the  aiitt'cedent  service. 

Dependency  mode  makes  precist'  tlu'  occairrence  of  a  dependency  within  tlu' 
life  cycle  and  workflow  of  tlio  dcj^iendent  servict'. 

Dependency  impact  evahiab's  tlu'  influence  of  tlu'  abst'iico  or  degradation  of 
th('  relation  betwet'ii  antecedent  and  d('])eiideiit  services. 

While  these  characteristics  may  be  completed  at  a  lat(T  time,  we  believe  that 

they  are  the  most  relevant  for  oiir  purpose  of  using  the  (l('])eiideiicy  inodid  for 

a.ssistiiig  the  decision  j^roci'ss.  In  the  remainder  of  this  section,  we  disenss  each 

attribute,  and  we  show  how  it  is  modeled  in  AADL. 


10 


H.  Debar  ot  ai. 


5.1  Dependencies  Types 

They  describe  elementary  paths  followed  by  the  data  provided  by  the  antecedent 
service.  They  only  describe  acc('ss  paths  for  the  direct  depeiulcneics  of  a  service. 
Complete  data  paths,  due  to  indirect  dependencies  (depondeneies  of  the  direct 
antecedents  of  a  service),  are  antoniatically  inferred  from  elementary  accc'ss  i)aths 
for  ('ach  service. 

A  d('pendency  type  may  be  either  service-side,  iLser-side  or  proxy  de[)endency. 

Service-side  dependency:  The  dependent  service  initiates  the  interaction  with 
the  antecedent  service.  The  user  connects  to  the  dependent  service  as  if  no 
dependency  (*xists  (see  Figure  3-a). 

User-side  dependency:  The  user  obtains  credentials  from  the  antecedent  ser- 
vi(*e  and  pr('sent  them  to  the  dependent  service.  The  (oimc’ction  is  transpar¬ 
ent  for  the  dependent  service  (see  Figure  .3-b). 

Proxy  dependency:  The  access  path  to  the  dependent  service  is  intercepted 
by  the  ant('c(‘d('iit  service.  No  access  pcith  explicitly  exists  between  the  de¬ 
pendent  service  and  its  user  during  the  dependency  (se('  Figure  3-c). 


a-  Service-side 


b-  Us'cr-side 


D 


□ 


w 


c-  Proxy 


VVliite  interfaces  represent  t  lie  data  fl{)w  providc-d  by  tlie  dei>endent  service  for  its  users. 

Gray  interfaces  represent  data  flow  provided  by  the  antecc'dent  .service. 

A  is  the  dependent  service.  13  is  the  antecedent  service,  and  U  is  the  user  of  the  dependent  service. 

Fig.  3.  S<‘rvi(*c  Dependency  Types 


5.2  Dependencies  Modes 

The  dependencies  mode  describes  the  sequencing  of  depeiuhMicies  within  the  life 
cycle  and  workflow  of  the  dt'pendent  service.  We  use  AADL  operational  inodes 
for  modeling  (h'pendency  setpieiicing.  AADL  modes  are  constructs  which  rep¬ 
resent  operational  states  of  a  component.  Each  mode  illustrates  <an  operational 
plnise  for  the  dependent  service  which  is  charactt'rized  by  the  need  for  a  certain 
dependency.  As  such,  the  dependent  service  does  not  notice  tlie  failure  and/or 
inacce.ssibility  of  the  antecedent  service  unless  the  former  reaches  an  operational 
inode  where  it  recpiires  the  access  to  the  data  providcxl  by^  the  anteccxleiit  service. 
The  transition  into  a  (h'jK'iidc'iKy  mode  means  that  the  dependent  service  has 
reached  an  operational  phase  where  it  rcfiuires  acce.ss  to  the  data  firovided  by  the 
antecedent  s('rvice.  Tlu*  transition  out  of  this  mode  means  that  the  dependency 
is  no  longer  rexjuired. 


Sorvice  ])(*])('iuI(Miri(»s  in  Iiiforiiiatioii  Syst.c'ins  Security 


11 


A  s(T\  ic('  luLS  four  opcn  atioiial  mode's.  Tlu^sc'  mode's  de'se  ribe'  t  he'  life'  cycles  e)f 
this  service'.  Eve'ry  ele^pe'neloncy  nioele  e'xists  ne'ccssarily  in  at  k'ast  e)ue'  e)f  tlu'se' 
o])e'rHtie)iial  iiiodos.  WV  shall  first  ele'scrilK'  se'rx  ie  e'  life'  eye  le'  in  AADL,  anel  late'r 
we'  ele'srribe'  ele'j)e'neie'nry  sceiiK'iu'ing  einviug  this  life  ryrl(\  The'  se'rvie  e'  life'  eye  le' 
hedels  fe)ur  e>pe'ratie)ual  me)ek's:  Start,  lelk',  He'epie'st  anel  Ste)p  iiie)ele's  (se'e'  the* 
assejeiate'el  AADL  luejelel  in  Figure'  4).  Tlu'y  are'  ek'liiie'el  as  fe)lk)ws: 

Start  Mode  e  harae'te'rizc's  the'  lanne'hing  pe'rie)el  of  a  se'rvie  e'.  The'  ])roe‘e'ss  re'al- 
iziiig  the'  se'rviee  is  k)aeling  e‘e)iiligurat  ie)ns  anel  asse'ts.  The'  transitiem  out  e)f 
this  inejek'  e)e‘e‘iirs  when  the*  ])ie)e‘e'ss  is  re'aely  te)  re'e^e'ive'  user  re'qiu'sts.  De'peii- 
ek'iie  ie's  in  start  ineak'  are  e)ne'-tiine  ek'j)e'iide'ne'ie's  e)nly  re'ejuired  eluring  se'rvie  e' 
start-U]). 

Idle  Mode  eharae  te'i ize's  the'  j)e‘rie)el  einring  which  a  service'  is  waiting  fe>r  iii- 
(‘e)uuMg  user  requests.  The'  traiisitiejii  out  e)f  this  ineiek'  is  initiateel  by  a  u.ser 
re'epie'st,  e)r  by  a  ek'cisie)!!  to  ste)j)  the'  se'rviee'.  The'  ele'i)ende'ne‘ie's  in  this  phase' 
are'  mainly  finie‘tie)nal  elepeiieleneie'S  ne)t  rek'\aiit  fe)r  the  purpose  e>f  this  pa- 
[)e'r.  but  which  can  be'  furthe'r  inve'stigate'el  as  fe)r  impaet  e'valuatie>ns  (se'e' 
s(‘(‘tie)n  9). 

Request  Mode  starts  when  the'  se'rviee  re'eei\e's  a  user  re'einest.  It  e'haraete'i- 
ize's  the  in-line  ele'])eueleneie's  r('e|uire‘el  in  e)rek'r  te)  ])re)ee'ss  this  re'epK'st.  T  he' 
transition  fre)m  this  moele  e>e‘e‘urs  afte'i*  the  use'r  e‘e)niie'e‘tie)n  is  elose'el. 

Stop  mode  All  the  ae  tions  a  servie^e'  may  take*  be'fe)re'  ste)j)ping  are'  e:onsiek're'el 
as  part  e)f  the  ste)])  me)ek’. 

The  time'  spent  in  e'aeh  opcratie)nal  me)ek'  varies  aece)reling  to  service  eonfigura- 
tions.  Transitions  betwe'e'ii  o])e'rational  me)ek's  may  alse)  vary  fe)r  certain  service's 
F'en’  instanee.  a  serviee'  e‘e)nfigur('<l  thre)Ugh  the'  Internet  sn])er  dae'inon  inetd 
starts  e)n  a  pe'i-reejnest  biisis  anel  the're'fore'  elire'e  tly  switchc'S  te)  the  stop  nK)de' 
at  the  e'liel  ejf  the  re'ejuest  niejek'.  The'  same  ser\  ie  e'  starte'el  tlire)ngh  the  be)e)t  se'- 
e]uenee'  ee^iifiginatie)!!  file's  /etc/re.d/  will  run  thre)nghe)ut  the  entire'  uj)time  ejf 
the  system,  anel  will  e^nly  be'  in  start  ine)ek‘  eluring  the'  l)oot  se'ejue'ne  e'. 


T 


1  i in  (1 1<‘ iiH* II  t  a  t  i (III  Dc|)cii(h‘nt  .instance 

■j  sn  liCiim  ponen  t  h 

:$  CStiirt:  system  op-Stnte  in  iiuxles  (Start): 

•1  e’l<il(‘r  systi'in  mi-.Stntt*  in  nuMlcs  (  liHe); 

r,  ('ne(\u<*sl  ;  sysO'in  op.State  in  modes  (He(pi<‘st  )  ; 
li  C'Stop:  system  up. .State  in  modi^s  (Stop): 

7  modes 

H  Start:  initial  modi'  : 

')  ldl(':  mode;  l^i'ipiest  :  mode;  Stop:  modi': 

I  u  Start  [  e  ’  S  t  a  r  t  .  t  r  a  n  s  i  t  ]  >  Idle: 

II  Idle  -  ( (’ 1  d  le  .  t  r  a  n  s  i  t  j- >  Hi'qiiest  ; 

12  neijnest  —  ('Hequi'st  .  t  r  ;i  n  s  i  t  ]  —  >  Idle; 
lit  Idle  -  ((‘Idle  .  down)  — >  .Stop; 

11  I'lid  Di'pend  eiit  .  i  n  s  t  a  n  <  e  : 


Fig.  4.  L)e'))e'nelcnt  Service'  Mode's 


12 


H.  Debar  ot  al. 


5.3  Dependencies  Sequencing 

Depeiulciicies  in  each  operational  mode  are  invoked  in  a  certain  sequence  related 
to  the  service  behavior.  These  are  defined  as  AADL  operational  sub^inodes  as¬ 
signed  to  the  components  of  each  operational  mode  (lines  2-6  in  Figure  4).  We 
thus  state  dependencies  within  the  life  cycle  of  the  dependent  service^  and  we 
determine  the  dependency  sequencing  within  the  same  life  cycle  phase.  We  ob¬ 
tain  a  Dependency  Finite  State  Machine  (DP^SM)  with  sub-states.  Dependencies 
appear  in  three  possible  sequent^es  (h^scribed  as  follows. 


a-  StateIo.s.s  s(X]iienciiig  . 


Stateful  sequenc- 
1  sequencing 


c-  Alternative  sequencing 


Fig.  5.  Service  Dependency  Sequencing 


—  Stateless  sequencing:  the  satisfaction  of  the  parent  dependency  is  an  obliga¬ 
tion  prior  to  the  access  to  the  child  dependency.  However,  the  former  does 
not  need  to  remain  satisfied  once  the  latter  is  accessed  (Figure  5-a). 

“  Stateful  sequencing:  the  parent  dependency  must  remain  satisfied  as  long  as 
the  child  dependency  is  not  satisfied  y('t  (Figure  5-b). 

“  Alfemative  sequencing:  characterizes  redundant  dependencies.  TIk^  transi¬ 
tion  from  the  parent  dependency  leads  to  one  of  the  child  dependencies 
(Figure  5-c). 

Stateless  and  stateful  sequencings  express  conjunctive  dependencies.  Alternative 
sequencing  expresses  disiunctive  dependencies  where  only  one  alternative  depen¬ 
dency  is  required.  Each  depeiuhuicy  mode  is  associated  with  a  specific  require 
interface  (see  Figure  1)  which  is  connected  to  a  specific  antecedent  service. 

5.4  Dependencies  Impacts 

The  dependencies  impacts  express  the  consc^quence  of  any  degradation  of  the 
antecetlent  service,  which  alters  tlu'  access  to  data  required  by  the  dependent 
service.  The  failure*  of  a  dependency  alters  the  transitions  between  operational 
modes.  This  alteration  is  motivated  by  the  fact  that  the  failure  of  a  dependeucy 
denies  reaching  its  subseeiuent  dependencies  in  case  of  no  alternative  dependency. 

Dependency  failure  does  not  only  alt(T  the  nornial  transition  out  of  the  failed 
dependency.  It  may  also  restrain  the  service  to  switch  to  another  operational 
mode.  For  instance,  a  web  s(*rver  may  switch  to  insecure  connections  when  the 
SSL  service  does  not  respond.  We  use  the  AADL  error  model  annex  to  rep¬ 
resent  the  impact  of  a  dependency  failure.  Each  service  is  attributed  at  least 
two  AADL  error  states,  which  are  normal  and  failure  states.  The  impact  of  a 
dej)endcncy  is  expressed  by  constraining  the  transition  out  of  a  dependency  to 


Service  Depeii(leiicies  in  In  fori  nation  Systems  Security 


13 


occur  (iopondiiig  on  the  error  state  of  the  antecedent  service.  This  is  doin'  I)v 
defining  GucmLTransition  properties  which  use  error  propagations.  Error  prop¬ 
agations  are  AADL  constructs  which  notify  the  coni})onent  at  the  remote'  end  of 
cl  coniH'ction  about  the  error  state  of  the  otlu'r  component.  We  use  EiTor^Fva 
and  Faded  propagations  which  notify  rt'sj^c'ctively  an  error  fret'  and  a  faih'd  d('- 
pe'iidency  states.  Each  de'pc'iuh'iicy  state  may  disjiose  of  two  transitions.  The 
first  is  the  normal  transition,  constrained  by  the  satisfaction  of  the  dependency. 
The  second  transition  is  optional.  It  is  constrained  by  the  inability  to  satisfy  the 
dependency. 


6  Dependency  Model  Framework  and  Implementation 

Section  5  has  defined  the  s('rvice  depeiulency  characteristics  managed  using  onr 
approach.  This  sc'ction  describes  the  steps  for  building  a  depend('ncy  model 
using  our  framework  sninmariz('d  in  tdgun*  6.  WV  use  tlu'  Open  Source  AADL 
Tool  Enviroimient  (OSATE)^  which  is  a  set  of  Eclipse  plug-ins.  OSATE  maintains 
AADL  models  as  XML-based  files,  which  allows  th('  reusability  of  tlu'  model. 


Fig.  6.  I)('pendency  Mod<'l  Eraiiu  work 


The  modeling  framework  is  sidit  into  four  steps.  The  user  is  int('nded  to  do 
the  first  two  st.('j)s.  Tlu'  last  two  steps  are  automatically  generated. 

Step  1  consists  of  modeling  the  explicit  dependencies  of  a  service.  Each  .service 
has  a  dedicated  depeiKh'iicv  model  defined  in  an  AADL  package.  Only  explicit 
dependencies  are  represented.  Antecedent  services  are  considered  as  inde])en(lent 
sc'rvices.  and  therefore  indirect  dependencies  are  not  reprc'sented. 

Step  2  consists  of  modeling  the  dependency  impacts.  Only  the  impacts  of 
explicit  d('i)endencies  ar('  nuxk'led.  Iiidin'ct  d('pend('n(w  impacts  are  inferred 
from  those  of  explicit  dependencies. 

http: //la. sei . emu. edu/aadlinf osite/OpenSourceAADLToolEnvironinent . html 


1 


14 


H.  Debar  et  al. 


Tlio  iteration  over  the  first  two  st('i)s  consists  of  repiacing  antecedent  ser¬ 
vices  by  tlie  impleineiitation  of  their  composite  dc'pc'iuhnicy  inodeis.  Antecedent 
services,  previously  used  as  abstract  independent  coinpoiu'iits,  are  replaces!  by 
instantiations  of  their  dei)enden(‘y  package's  (see  the  case'  stnely  for  examples). 

Ill  Step  3.  OSATE  tnanslates  the  AADL  model  into  a  multi-file'  XAIL  model. 
Each  package  (i.e.  eleiiientary  elepende'iicy  moelel)  is  saveel  as  an  XML  file  ex- 
pres.sed  using  the  AADL  XML  Interchange  fe)rinat.  This  step  is  preex'dcxl  by  an 
automated  model  validation.  OSATE  checks  the  connections  betwe'en  model  com- 
l)e)nents.  It  flags  inappropriate  de])endencies  whe^re  a  depenelent  service  is  maele 
elepe'ndent  of  an  aiitece'elent  service  which  doe's  ne)t  pre)viele  its  recjuirc'd  data. 

Step  4  is  the  imi)lementation  of  a  query  interface  which  manages  the'  ac'- 
(^(^ss  to  the  dependency  iiKjde'l.  This  interface  is  queried  for  the'  dependencies  of 
a  specific  service.  We  use  the  Java-based  Docmne'iit  Object  Model  to  exi)lor(' 
the  AADL/XML  iiuxh'l.  The  query  iuterfac^e  builds  a  Dependency  Finite  State 
Machine  (DFSM)  with  sul)-stat('s  in  order  to  represent  S('rvic('  dej)endencies. 

The  DF'SM  schema  is  illustrated  in  Figure  G.  It  summarizes  all  the  deiK'ii- 
deiicy  characteristi(‘s  modeled  in  the  first  two  steps.  The  attributes  of  a  de¬ 
pendency  state  are  (1)  the  antc'cedeiit  service,  (2)  tlu'  n'cpiirc'd  data,  (3)  the 
recpiester  (dependency  typ('),  (4)  the  depeiifh^ncy  imj)act.  (5)  the  parent  depen¬ 
dency  and  (G)  the  lu'xt  dependency  (d('j)enden( y  modes).  CycJic  dependencies 
are  discartlcd,  aiul  thus  a  depeiidcuicy  state  cannot  be  a  parent  for  anotlu'r  de¬ 
pendency  state  which  j)oints  to  the  same  service. 


7  Using  Dependencies  Models  for  PEP  Selection 

In  th('  context  of  our  work  on  tlu'  ns('  of  the  OrHAC  security  policry  language 
for  intrusion  response  [27],  we  have  used  the  j^roposed  model  for  selecting  ])olicy 
('iiforeement  points  as  enforcers  of  OrBAC  i:)olicy  rules. 

7.1  Modeling  Policy  Enforcenieiit  Points 

The  flerivation  of  concrete  ('k'liK'iitary  accesses  is  followed  by  a  de(usion  process. 
It  aims  to  n'configiire  elementary  a(x*('sses  so  that  the  initial  n'sponse  acce.ss 
rule  could  be  api)lk'd.  In  (^aso  of  permission,  the  decision  jn'oeess  satisfies  at 
least  a  minimal  s('t  of  dependence's.  In  c^-use  of  a  prohibition,  it  checks  that 
no  dei)endency  path  enabh's  the  prohilflted  data  aecess.  Access  p(*rinissions  are 
modified  through  tlie  reconfiguration  of  PEPs  which  are  modules  a.ssociated 
with  service's.  We  then'fore  consider  each  .service  as  a  PEP  having  limited  access 
control  capabilities.  This  capability,  when  it  exists,  is  liniit('d  to  a  sjx'cific  class  of 
subjects.  It  thus  restrains  the  PEP  cai)ability  to  apply  elementary  aceess  rules. 
For  instance,  firewall  visibility  is  limited  to  network  levc'l  information,  it  is  not 
able  to  monitor  user-h'vel  credentials. 

A  PEP  is  able  to  afjply  a  security  rule  when  (1)  the  subject  in  this  rule 
belongs  to  the  caj)ability  set  of  the  PEP,  (2)  the  service  point('d  by  the  action  is 
managed  by  the  PEP  and  (3)  the  object  is  a  data  provided  by  the  service.  The 


Sorviro  I)(‘pt’iideiicies*  in  Iiifonnatioii  Systems  Sc'curity 


15 


(‘ajmhility  of  a  dej^xMids  on  its  concroto  inipleiiioiitatioii.  It  is  doliiu'd  as  a 
constraint  which  nnist  l)c  satisfied  by  the  subject  in  the  security  rule.  Services 
which  do  not  hav('  a(*c('.ss  control  ca|)al)iliti('s  an'  assigned  null  capability  s('ts. 
The  Id)P  may  select  a  certain  PEP  if  the  siibjt'ct  within  the  (*l(‘nientary  c()ncr('t(‘ 
rnl(*  d('riv(Hl  for  this  PEP  belongs  to  its  capabilitN*  class.  The  PDP  selects  th(‘ 
o|)tinial  K'spoiist'  s(*t  according  to  two  critc'ria. 

-  A  prohibition  is  applitnl  th(*  closer  possible  to  tlu'  start  stat('  of  tlu*  DFSM. 
ill  ord(*r  to  reduce'  n'sonrcc’  (‘oiisnniption.  This  is  niotivate'd  by  tlu*  fact  that 
when  the  access  is  deiiie'd  at  the  Ix'ginning  of  tlu*  DFSM.  siibse'cineiit  (U'pe'ii- 
(k'licy  acc('s.s(*s  an*  dt'iiu'd,  which  (ontribiitc's  in  rc'diu  ing  rc'.soiircc'  con.sunip- 
tion. 

The*  PDP  ininiinizc's  the*  configuration  changes  n'cjnirc'd  for  the*  applic*ation 
of  a  sc'curity  rule  by  niinimi/iiig  the  .sc'rvic'c^s  which  need  to  be  rc'conhgnrcHl. 

7.2  Selecting  Policy  Enforcement  Points 

S  is  the*  .sc't  of  servievs  ol)tained  from  the*  AADL  model.  We  modc'l  the*  DFSM  for 
the*  .service*  as  DFSMsi,,,,  '  where  s,  ^  S,,  C  S  is  an  aiitecede'iit 

for  sp,  f,  and  ap  G  71;  C  S  x  S  is  a  transition.  A  |)ath  j>tj  is  a  seeine'iicc  of  adjae  e'ut 
transitions  which  lead  from  the  ele|)e'nde*ncy  state*  .s*,  to  the*  depe'nde'iie'v  state*  s 
If  this  path  eloc's  not  c'xist  the'ii  pp  =  0.  for  an  input  se'cnrity  rule,  the  PDP 
e‘ros.se's  DFSAfs^,,,,-  It  sc'areTes  the*  minimal  se*t  of  ele'p(*iidene*ie's  whic  h  applie*s 
the*  .se*e-urity  rule*  and  rc'diiec's  su|)e'rHuous  re'soiire*e  transactions.  Algorithm  I 
ilhistrate*s  the*  behavior  of  the*  In  e-ase*  of  a  |)e'rniission,  the*  PDP  .searches  for 

the' dependency  j^atli  which  requires  the  least  nioelifications  (i.e*.  re'coii figurations) 
in  orde'r  to  allow  the  aewss.  ddu'  selected]  [)ath  is  liberat(*d  in  oreh*r  to  apply  the' 
in|)ut  |)e'nnissie)n.  In  e‘ase*  of  a  |)rohibition,  the'  PDP  elenic's  all  de|)ende'ncy  paths. 
When  alte*ring  a  ele‘|)e‘nel(*ney  state,  the  PDP  switclu's  to  the*  failure*  transitiein  e)f 
this  state*  aiiel  checks  that  it  eleie's  ne)t  belong  to  a  pe‘rmissible*  |)ath. 

8  Using  Dependencies  Models  for  Attack  Impact 
Propagation 

A  ser\  ic'C'  ele'i)enele'ncy  e'X|)re'.s.se*s  the  ne*e*el  for  the*  ele*|)e'nde’nt  sc'iaice'  te)  ace‘e*.ss  the 
ante'e'eeh'iit  service.  The*  de'pendent  ser\dce,  which  requires  .some'  privih'ge's  ne)t 
e*xplie*itly  assigiu'el  to  this  .se'r\*ie‘e'  (c'.g.  an  online  diree-te)ry  service  ne*e‘ds  aece'ss 
te)  public  data),  acce^sse*s  its  antc'cc'dent  servic-e*  (e.g.  elatabase*  sc'rvice*)  in  orele*! 
to  accinire*  the  re'epiircd  |)rivile'g('s  (c'.g.  fc'tch  data). 

We  formalize  the  .ser\  ice  ek'])enelenc>'  de'finitie)n  using  the*  RT  fraiiu'work  in 
[28],  and  spe'cificallv  the*  component.  RT^^  intre:)eluce*s  the  c'one-e'pt  of  re*que*st 
whie*h  is  re'pre*se'nte'el  by  a  ele*le*gatie)n  eTC'clential  that  de'h'gate's  from  the  re'epie'Ster 
te)  the  reeiuc'st..  Fe)r  e'xam|)le'.  that  Ea  requests  an  aiitheirizat ion  whie-h  beleing.s 
to  the'  role'  Rh  from  FJh  with  its  capacity  of  being  empowe'rc'd  in  the*  role  R(i  e*an 

Ea  as  Ha 

be  re'|)rese*nt(*d  by:  Ea  - ^  Eb.Rb.  We  use  the*  same*  de'h'gation  conce*pt  as 


16 


11.  Debar  et  al. 


input  :  Sr{'ryi)f\  s,  a,  o) 

output:  List  <  >  Resp  with  6-,  €  S 

FSMn  =  makeTransClosureCgetDFSMCa) ,  Sr)\ 
clStart  =  F.S A/rt  .start;  dEnd  =  FSM„ 
if  Type  =  Prohibit  ion  then 

forcach  pij  in  FSAL,  with  (i^dStart)  &  (j=dEiid)  do 

if  chkRespHistory (/J, j )  (returns  False  if  the  path  has  been  already  intercepted) 
then 

ciirStnti*  =  (iStart; 
repeat 

(MirStato  =:  cnrState.getNext (p,j ) ;  returns  the  next  state  on  the  path  p,j 
if  chkC&p&bilityi  cur  State)  then 

Rcsp.add(curi>’tatc.ylntS'crt»icc,  curState.Si') ; 
curStato.addHistoryC cur5tatc.5r) ;  add  Sr  to  the  resp.  history 
aiixPath  =  F.S*A/u  .getPathCcur.S’ttttf.getFailureTrans ()  ,  dEnd); 
if  (auxPath  ^  ('curS'tate. getFailureTransC). parent  ^  Idle)  then 
ptj  i—  auxPath; 

eiici 

until  curStatc  =  dEnd; 

end 

end 

else 

In  case  of  permission,  the  PDF  allows  the  path  reiquiring  minimum  modifications 
minPath  =  null;  niiriLongth  =  Infinity; 
foreach  p,j  in  FSMd  with  (i=dStart)  &  (j=dEnd)  do 
curLcngth  =  0. 
repeat 

IcurState  =  curState.getNext  )  ; 

if  .^chkRespHistoryC cur5ta/e)  then  curLongth  +-t-; 
until  curState  =  dEnd; 

if  curLength  <  miiiLength  then  (ininLength  =  curLpiigth:  rninPath  = 

end 

allowCrninPat/i) :  Liberates  the  path  in  parameter 

end 


Algorithm  1.  Evaluation  of  tlie  resulting  iiiipac*t  transfer  matrices 


ill  [28],  but  while  replacing  roles  with  privileges.  This  can  be  best  motivated  by 
the  fact  that  the  role  concept  in  role-based  iiiaiiageineiit  laiigiiag(\s  is  treated  as 
a  collection  of  pennissions  (i.e.  authorizations)  [29],  which  makes  it  compatible 
with  the  privilege  concept  for  service  dei)endencies. 

We  thus  repr(\s(Mit  a  depfuidency  for  a  service  A  towards  service  B  by  the 

{A.Cr\A.Pr) 

following  specification:  A  - >  B.'JZ.  It  states  that  the  dependent  service 

A,  in  its  faculty  of  having  tlu'  credential  (Cr)  and/or  the  privilege  {Pr),  recpiests 
the  jirivilege  IZ  from  the  antecedent  service  B,  We  shall  note  that  the  dependent 
service  may  use  more  than  a  single  credential  and/or  privilege  to  ac’cess  the 
antecedent  service.  Those  will  be  siiecified  in  the  depeiidcuicy  definition.  The 
dopeiidont  service,  after  it  satisfies  its  dependency,  acquires  additional  privileges 
granted  by  the  antecedent  service.  The  satisfaction  of  the  tlependency  implies 
the  sharing  of  the  privilege  set  TZ  between  the  dependent  and  the  antecedent 
services. 

We  use  the  definitions  of  a  service  dependency  and  trust  in  order  to  specify 
the  condition  for  a  dependency  to  b('  satisfied.  It  is  written  as: 


Service'  Dei^'iieleiiries  in  Information  Systems  Security 


IT 


AX'tA  Pr 

1  ( A  —  - ^  B  .  Tv  =>  A  .  JZ)  V  t  r  :(  *r ni  st  (  1  r  ).  S 11  bj or  t  (  t  r  ,  B ).  G  ran  t  CM*  (  t.  r  . 

7?))  . 

2  ( (  ’Fr  ust  ee  (  t  r  ,  C^'r )  .  Ownci  (  Cr  ,  A )  )  V  (  'Pr  u s  t  oc  (  t  r  ,  Pr  )  .  S  u  1>  j e(  t  {  Pr  ,  A )  )  |  . 

It  state's  that  a  dependene'y  is  e)uly  satisfied  wlu'ii  the  (l('])eiielent  service^  use's  the 
e're'eleiitials  and  privik'ges  which  apply  to  the  trust  re'lat ioiiships  iiiiple'iiieiite'el  by 
the'  aiite'ce'eleiit  service. 

8,1  MoeJeliiig  Attacks  in  tlie  Framework 

A  privile'ge'  is  affe'cte'd  either  by  being  illicitly  aceiuin'el  by  an  attacker  ov  by  being 
denied  to  its  l('gitiiiiate  nse'r.  Intrnsions  are  thus  introdiuM'd  in  this  paragraph  as 
a  way  by  which  an  attacker  alters  the  privilege  assignineiits.  An  intrusion  either 
proveikes  a  eleiiial  of  access  to  k'gitiinate  users  and/or  provide's  ille'gitiiiiate  aee'e'ss 
to  the  attacker.  Wx:*  define'  infected  pri\il('ges  as  being  those’  which  are  illegally 
ace]iiired  by  the  attacker,  and  revoked  privileges  as  being  those  which  are  illc'gally 
re'voke'd  to  the  target  .ser  vice,  and  con.se'epiently  to  all  of  its  users. 

\V('  use’  the  vulnerability  being  exple)ited  within  an  attaek  te)  ielentify  the  iin- 
pae:t  e)f  this  attack  e)n  the  target  .service.  We  thus  ele'fine  a  vulnerability  using 
th(’  pre/]X)St-coiiditk)n  ine)el('l.  as  in  [dO],  by  introelncing  the  folle)wiiig  attribute's: 
1.  Tar<]('t  te)  re'present  the  vulnerable  serviee.  2.  Access  te)  repre'sent  the  vulner¬ 
ability  ae  e  e'ss  ve’e’te)!*  (i.e'.  the  privile^ges  whie'h  iiinst  be'  satisfie'el  l)y  the  attacker 
be'fe)re  he’  ee)nlel  aee’e'ss  the  viilneral)ility ),  3.  hifccfs  te)  re’i)re’sent  privile'ge's  fe)r 
the’  target  service  which  are'  iiife’e  teel  by  the  intruder  in  ease  the  attaek  .snere'e'els 
anel  ^1.  Revokes  te)  represent  privileges  whieh  are'  re'\x)keel  te)  the  targe't  se'rvie-e' 
in  e’a.se’  the’  attaek  siie'ee'e’els.  Wo  ine)elel  an  attaek  using  the'  same  re'epie'st  state- 
nie'iit  as  fe)r  a  .service  depeneleney.  An  attacker,  with  his  faenlty  of  having  se)iiu' 
privile'ge's  (i.e'  vnlne’rability  ace’e'.ss  vector),  exple)its  a  vulnerability  on  a  target 
se'rvie*e’  in  orele'r  te)  incrc'a.se’  his  benefits  and  thus  te)  ae’epiire  aelditional  privi¬ 
leges  and/e)r  deny  other  privile'ge's  to  the  target  serviee.  Meanwhile,  the'  sne'erss 
e  e)nelitie)n  e)f  the  re'qnest  is  exteiide'd  in  order  to  ine*hiele'  inforinatie)ii  about  the' 
exploit  eel  vnhieral)ility.  We’  thus  introehice’  an  attae'k  impact  using  the'  folle)wing 
speeifieat  ie)ns: 

Att  Pi 

\  Alt  —  ^  B ,  Tv  ^  A 1 1  . 7?  o 

i.'  3\'  :  V'  ti  1 11  e r  a  bi  1  i  t  >■  (  v  )  ,  Tai  (  v  .  B  )  .  1  n  f <•  r  t  s  (  v  .  7?  )  .  A c c (  \  .  Pi  )  ,  S  n  b ji'Ct 

(  Pr  ,  A tt  )  . 

AH.Pr 

a  Att. - ►  B.T^  -  (1^.7?)  <=> 

i  3\'  :  V  n  1  iH*  r  a  1)  i  I  i  t  y  (  V  )  .  I'ai  Rct  (  V  .  B )  .  Revokes  (  v  .  7?  )  .  A  C(  t'ss  (  \  ,  Pr  )  ,  S  u  1)  i('c  t 
(Pr.Att) 

We  intre)dne’e  the  pre’die*ate'  /?/ fcrt((i{B.7Z)  to  repiTse'iit  the  e)ntee)me  of  the  fir.st 
attaek.  and  the  preelieate’  R(  v()k(  d{B.7Z)  te)  represent  the'  e)ntcome  of  the  .see  e)nel. 
We  may  al.se)  e'X[)le)re  the'  ee)rre'latie)n  o[‘  attacks  by  ee)m])aring  the  e)ntee)me'  e)f 
e)ne'  attaek  to  the  acce'.ss  ve'cte)!*  of  the  seeoiiel.  as  in  [30].  Meanwhile,  attac’k 
ce)iTelation  using  the  privile'ge'  model  is  ne)t  among  the  obje'ctives  of  this  paper. 
Attack  ee)rrelatie)n  e'liabk's  the  ee)mbinatioii  of  ele'ineiitary  impacts  with  the'  k'vel 
e)f  expe'rtise  re*epiired  for  snee’ee'eling  an  attae’k  and  the  prediction  e)f  intrusion 
objectivevs  in  order  to  fe)re'se'e  aelelitie)nal  impacts,  ddiis  is  a  subject  e)f  inte're'st 


18 


II.  Debar  et  al. 


which  must  bo  detailed  in  a  future  extension  to  this  study.  We  me  thus  interested 
ill  this  paper  in  evaluating  inii)a(’ts  of  element  ary  (i.('.  separated)  attacks. 

8.2  Attack  Impact  Propagation 

The  impact  of  an  attack  proi)agat('s  when  comi)onents  other  tlian  tlu*  one  being 
attacked  are  affected  by  the  attack.  The  attacker  acciuires  (resp.  revokes)  pr\v\- 
leges  granbxl  to  comjKnieiits  other  than  his  target  component.  He  bypasses  the 
trust  relations  already  configured  for  service  dependencies,  by  using  the  privi¬ 
leges  he  already  acquired,  in  order  to  increase  his  gain  (i.e.  system  loss).  We  inhu*, 
using  the  definitions  of  attacks,  (k'lxmdeiKUC’s  and  trust  n’latioiis,  the  conditions 
for  attack  iiiipad  j)ropagatioii  whi(‘h  are  suiiimarized  in  listing  1. 


Listing  1.  Attack  Impact:  Propagation  of  Infections  and  Revocations 

A  Tl 

1  Stmt  1:  I  n  fer  t  rU  ( A .  7i! )  A  3  (B,Q):  A - ►B.Q  =>  1  ii  fr  c  t  od  ( A  .  Q  ) 

A  Q 

2  Stmt  2:  Rt*vokt'd  (  B  .  7?  )  A  3  (A.Q):  A - *8  7?  =>  Revoked  ( A  .  Ti  ) 

A  n 

a  Stmt  3:  Revoked  (A .  7?  )  A  3  (B.Q):  A  - -•  B .  Q  =>  Revoked(A.Q) 

A  Q 

4  Stmt  4;  lnfected(B.7^)A  3  (A.Q):  A - ^  B.7?  =>  Infect  <^d  (A. Tv) 

Statement  1  characterizes  an  opj)ortuiiistic  attacker  who  accc.sse.s  an  antecedent 
service  after  his  attack  against  a  dependent  service.  The  attacktu*  illicitly  ac¬ 
quires  from  the  (k'l^endent  service  some  credentials  and/or  privileges  widt  h  are 
trusted  by  th('  antect'dent  service.  The  attacker  benefits  are  thus  extended  to  in¬ 
clude  all  the  privileges  granted  by  the  antecedent  service.  Statement  2  illustrates 
availability  propagation.  The  revocation  of  some  privileges  from  an  antecedent 
service  makes  them  unavailable  for  its  dependent  services.  In  statement  3,  a  tar¬ 
get  service  is  revoked  from  some  credcuitials  and/or  privilege's  it  uses  to  access 
an  antecM'dent  service.  It  is  thus  revoked  from  tlu'  privileges  shared  by  the  an¬ 
tecedent  ser\ice,  and  so  for  all  the  users  of  the  dependent  .service.  Statement  4 
characterizes  an  midiscijTlined  attacker  who  u.ses  the  inh'cted  privileges  in  order 
to  accf^ss  any  d('i)eudency  and  thus  to  increase  his  gain. 

While  impacts  iteratively  propagate  through  service  dependencies,  the  n^sult- 
ing  attack  impact  corresponds  to  all  infected  (V(u,Pr)  :  Inf (Tt( (I{iLPr))  and 
revoked  (V(u./h')  :  Ret^oked{xi.Pr))  i:)rivileges.  Our  model  also  evaluates  the 
conjunction  of  multii)le  attacks.  By  separately  infecting  more  privilegc.s,  more 
dependencies  could  be  infected,  and  so  more  damages  coulrl  be  inflicted  to  the 
system.  Since  we  evaluate'  al.so  the'  ini])act  of  comite'riiu'asun's  on  users,  we  can 
compare  the  inq^act  of  attacks  and  coimtermeasiires  candidates  to  select  the  best 
operational  coinproinise'. 

9  Conclusion 

In  this  pa[)('r,  we  have  demonstrated  the  moch'Iiiig  of  dependencies  in  the  conte'xt 
of  information  systems  security,  with  an  application  to  hndiiig  policy  enforcement 


Service  Dependencies  in  Information  Systems  Security 


19 


points  and  to  i)ropagating  the  impact  of  attacks  and  count erinoasiirt's.  \\  liile  in 
the  paper  we  limit  ourselves  to  the  theoretical  aspects  of  these  models,  additional 
work  has  shown  that  these  models  can  he  of  use  do  model  simple'  service's  inchuling 
me'ssaging.  anthe'iitication  and  web  .servie  es. 

We  are  furtlu'r  exteneling  this  work  te)warel.s  sininlat ie)n.  in  e)rele'r  te)  cemipnte 
the'  impact  of  attacks  anel  cemiite'r-nK'asure'S  on  larger  information  systems.  This 
will  I'liahU'  ope'rators  to  e)l)tain  a  d('e  isiejn  suppe)rt  te)e)l  that  itenatively  informs 
tliem  about  the'  e'e)sts  as.sexiate^el  with  the  emrre'iit  configuration  of  their  infe)r- 
matie)!!  systems,  anel  te)  help  thenn  dexiele'  upon  coufiguratie)n  e  hanges  baseel  on 
einaiit  itative'  infonnation. 

R(?ferences 

1.  during,  A.M.:  On  ('e)mpntal)Ie  numbers,  with  an  application  te)  the  entschei- 
ehmgspre)blem.  Proeve'dings  e)f  the  London  Mathematical  Se)cie'ty  2.  2.d()  2()r)  (D.dfi) 

2.  (le)ld.st iiie,  II.H.,  ve)n  Ne'umann.  On  the*  principle's  of  large'  scale'  computing 
niaehiiies.  In:  dVmb,  A.  (ed.)  .John  von  Ne'iimami  Cedle’cte’el  Works,  ve>l.  \^,  pj). 
I  ‘52.  The  Macmillan  Ce).,  Ne'w  Ve)rk  (I9r).‘5) 

.‘5.  Shenke'r.  S.,  \\Te)( lawski.  Ne'twe)rk  eleiiu'nt.  se'ivie-e  .s])e'e*ificat ion  template  Nei- 
we)rk  We)rking  (Ironj)  Reepu'st  for  Ce)nmu'nts  (1997), 
http: //www. ietf . org/rf c/rf c2216 . txt 

1.  Be)vle,  .1..  (V)heii.  H.,  Durham,  D.,  Rajaii.  R..  llerze)g.  S  ,  Sastry.  A.:  The  eops  (ce)m- 
nion  e)pe'n  pe)lie'y  .service)  protexe)!.  Network  \Ve)rking  Ore)np  Rexpie'st  fe>i  C’omme'nts 
(2000).  http : //www. ietf . org/rf c/rf c2748 . txt 

5.  ele  Albnepierejne*.  P..I..  Krnmni.  II.,  de'  Gens,  P.L.:  Pe)licy  me)deling  and  refine'inent 
for  netwe)rk  sex-nrity  sy.ste'ins.  In:  POLICY  2005:  Proeeedings  of  the  Sixth  Ihd^dC 
International  Workshop  on  Pe)liei('s  for  Di.stribnte'el  Systems  anel  Networks,  W  ash- 
ingte)!!.  DC.  USA,  pj).  24  33.  IEEE  Ce:»mpiiter  Society,  Le)s  Alamite)s  (2005) 

().  Ensel.  C.,  Keller,  A.:  An  ai)pre)ach  fe)r  managing  se'i  vice'  elependeneie's  with  xml  anel 
the  re'somee  ele'se  riptie)ii  framework.  .1.  Ne'tw.  Syst.  Manage.  10.  147  170  (2002) 

7  Ding.  II.,  Sha,  L.:  Depe'iideney  alge'hra:  A  te)e)l  for  ele.'sigiiiiig  re)hnst  re'al-time*  .sys¬ 
tems.  In:  IEEE  International  e)ii  Re'al-d'inie  Systems  Symposium,  pp.  210  220 
(2005) 

8.  Ranelie ,  M..  Bla.skovi<  ,  FL,  Kne'ze’vie*.  P.:  Moeh'ling  .seTviee'  elope'iieleiieie's  in  ad  hoc 
eollahorative  systems.  In:  Pre)e('eKlings  of  FAJROCON  2005.  j)p.  1812  1845.  lh]E]'] 
Computer  Se)eie'ty.  Le)s  Alaniitos  (2005) 

9.  Ke'ller,  A.,  Kar,  G.:  Dynamic  depeneh'iicie's  in  apj)lieation  service  management. 
In:  Proeex'dings  of  the  2000  International  Conferenee  on  Parallel  anel  Distrihnte'd 
Pre)ce'ssing  Te'diniepies  and  Applicatie)ns,  PDPTA  2000.  Las  W'gas,  N\’.  USA  (2000) 

10.  Dacier,  M..  l)e'swait(\  Y..  Kaanie  he'.  XL:  Quant itatiw  a.s.se'.ssm('nt  ejf  operational 
security:  Me)elels  and  tex)l.s.  In:  LAAS  Research  Rcj)ort  96493  (199()) 

11.  Balepin.  L.  Maltse'v,  S..  Rowe.  .J.,  Le'vitt.  K.:  Using  specifieatie)n-l)ased  intrnsie)n 
de'te'ctioii  for  aiitomateel  re'spe)iise.  In:  Procexxlings  of  the  (ith  International  Sym- 
posimu  e)n  Rec  ent  Aelvanex's  in  Int  rusion  Detex  t  ion,  pp.  136  154  (2003) 

12.  Toth.  T.,  Krne'gel,  C.:  Evaluating  the  impact  e)f  automat e'd  intrusion  re'spe)ns(' 
ine'chani.sms.  In:  ACSAC  2002;  Proceedings  of  the  18th  Animal  Computer  Sex  iirity 
Ap[)licatie)ns  CeinfeaeMice.  W a.sliingte)n.  DC.  USA,  p.  301.  lEl^E  (X)mpnter  Society, 
l.os  Alaniitos  (2002) 


20 


H.  Debar  ct  al. 


13.  .lalinkc,  M.,  Thiil,  C.,  Martini,  P.:  Graph  based  metrics  for  intrusion  response 
measures  in  coinpiiter  networks.  In:  LCN  2007:  Proceedings  of  the  32iid  IEEE 
Conference  on  Local  Computer  Networks,  Washington,  DC,  USA,  pp.  1035  1042. 
IEEE  Computer  Society,  Los  Alamitos  (2007) 

14.  Grnschke,  B.:  Integrated  event  management:  Event  correlation  using  dependency 
graphs.  In:  Proceedings  of  DSOM  1998,  Ninth  Annual  IFIP/IEEE  International 
Workshop  on  Distributed  Systems:  Operations  and  Management,  Newark.  DE, 
USA  (1998) 

15.  Riigina,  A.E.,  Kanonn.  K.,  Kaaniche,  M.:  Architecting  dependable  systems  IV. 
In:  A  System  Dependability  Modeling  Framework  using  AADL  and  GSPNs.  pp. 
14  38.  Springer,  Heidelberg  (2007) 

16.  Papadaki.  M.,  Purnell,  S.:  Informing  the  decision  process  in  an  automated  intrusion 
respoii.se  system.  Information  Security  Technical  Report  10.  150  161  (2005) 

17.  Noel.  S..  Jajodia,  S.:  Managing  attack  graph  complexity  through  visual  hierarchical 
aggregation.  In:  CCS  Workshop  on  V^isualization  and  Data  Mining  for  Computer 
Security  (2004) 

18.  Sheyner,  ()..  Wing.  J.:  Tools  for  generating  and  analyzing  attack  graphs.  In:  de 
Boer,  F.S.,  Bonsanguc,  M.M.,  Graf,  S.,  dc  Roever,  W.-P.  (cds.)  FMCO  2003.  LNCS, 
vol.  3188,  pp.  344  371.  Springer,  Heidelberg  (2004) 

19.  Noel,  S.,  Jajodia,  S.,  O’Berry,  B..  Jacobs,  M.:  Efficient  minimum-cost  network 
hardening  via  exploit  dependency  graphs.  In;  Proceedings  of  the  19th  Annual  Con¬ 
ference  ACSAC  (2003) 

20.  Balepiii,  I.,  Maltsev,  S.,  Rowe,  J..  Levitt,  K.:  Using  specification-based  intrusion 
detection  for  automated  response.  In:  Proc'cedings  of  the  6th  International  Sym¬ 
posium  RAID,  pp.  136  154  (2003) 

21.  Jahnke.  M.,  ThnI,  C..  Martini,  P.:  Graph  based  metrics  for  intrusion  response 
measures  in  computer  networks.  In:  32nd  IEP]P]  Conference  on  Local  Computer 
Networks  (2007) 

22.  Khcir,  N.,  Debar,  IL,  Cuppens-Boiilahia,  N.,  Ciippens,  F.,  Viinikka,  J.:  Cost  asses.s- 
ment  for  intrusion  response  using  dependency  graphs.  In:  Proc.  IFIP  International 
Conference  N2S  (2009) 

23.  Toth,  T.,  Kruegel,  C.:  Evaluating  the  impact  of  automated  intrusion  response 
mechanisms.  In:  Proceedings  of  the  18th  Annual  Conference  ACSAC  (2002) 

24.  International  Society  of  Automotive  Engineers:  SAE-AS5506:  SAE  architecture 
analysis  and  design  language  (2004) 

25.  Strasbnrg,  C..  Stakhanova.  N..  Basu,  S..  Wong,  J.S.:  Intrusion  response  cost  assess¬ 
ment  methodology.  In:  Proceedings  of  the  4th  International  Symposium  ASIACCS. 
pp.  388-391  (2009) 

26.  International  Society  of  Automotive  Engineers:  SAE-AS5506/1:  SAE  architecture 
analysis  and  design  language,  error  model  annex  (2006) 

27.  Thomas,  Y.,  Debar.  H.,  Ciippens,  F.,  Cuppeiis-Boulahia,  N.:  Enabling  automated 
threat  response  through  the  use  of  a  dynamic  security  policy.  .Journal  in  Computer 
ViroIog\^  (JCV)  3,  195  210  (2007) 

28.  Li.  N..  Mitchell,  J.,  Winsborough,  W.:  Design  of  a  role-based  trust-nianagenient 
framework.  Proceedings  of  the  the  2002  IEEE  Symposium  on  Security  and  Pri¬ 
vacy  1,  114  (2002) 

29.  Sandhu,  R.S.,  Coyne,  E.J.,  Feinstein.  H.L.,  Youman,  C.E.:  Role-based  access  con¬ 
trol  models.  IEEE  Computer  2f).  38-47  (1996) 

30.  Ciippens,  P\,  Autrel.  F.,  Yacine  Bouzida.  J.G..  Goinbault,  S.,  Sans,  T.:  Anti- 
correlation  as  a  criterion  to  select  appropriate  counter-nieasurcs  in  an  intrusion 
detection  framework.  Annals  of  Telecommunications  61,  197-217  (2006) 


Secure  Applications  without  Secure 
Infrastructures 


Dic'tor  Gollniaiiii 

llanibiirg  University  of  Teehnology.  flainhurg.  Germany 
diego(Otu-harburg .  de 


Abstract.  The  lnt('rnet  (together  with  oUkt  eomnumieat ions  syst ('ins) 
has  heeonie  a  critical  infrastructure  in  industrialized  societies.  We  will 
exainiiK'  to  which  extent  I  his  infrastructure  needs  to  be  .sc'cnn'd  for  ap¬ 
plications  to  be  deployed  securely.  We  will  give  exainph's  for  application 
lay('r  attacks  that  cannot  In*  (h'fended  against  at  the  infrastructure  layer, 
lli'iice,  deploying  a  si'cure  iiifriustnicturi'  is  not  sullicieiit  to  protin  t  criti¬ 
cal  applications.  (Wiiversely.  we  will  give  exampk'S  wheri'  an  application 
can  be  protected  without  relying  on  security  services  j)rovided  by  the 
infra.st  riictnre.  Hence,  df'ploying  a  s('cnr('  infrastriicturo  is  not  necessary 
to  protect  critical  applkations.  We  will  argue  that  it  is  only  ('ssential  for 
the  coinpntiiig  infrastriictme  to  protect  its  own  execution  integrity  and 
for  the  conmiuiiicat ions  infrastructure  to  offer  availability. 

Keywords:  (’ritical  infrastructures,  application  .security,  security  engi- 
neei  ing. 


1  Introduction 

It  is  today  coiiiiiioii  place  to  ob.serve  that  iiuhistrializtHl  societi(\s  liav('  Ix'coine 
reliant  on  I  T  to  such  an  t'xtt'iit  that  the  Inteinet  (together  with  other  coin- 
niiinications  systems)  Inis  beconu'  a  critical  infrastructure.  It  would  then  .setun 
natural  that  this  infra.st  nut  iir(‘  iinist  be  protetUed  against  attacks;  otluuwise  w(' 
could  no  longtT  nsi'  the  .services  we  liavt^  Ix'come  so  accnstoined  to  rely  on.  This 
view  would  b(‘  siipportt'd  by  the  history  of  IT  security,  which  has  iiiiiiortaiit  orb 
gins  ill  operating  systems  si'Ciirity  and  conmiimieations  security.  Both  provide 
prot(Ttioii  at  the  level  of  IT  iiifnistriictnres. 

We  will  argue  that  such  a  view  is  mi.stakeii.  Protc'cUioii  of  the  iiifrastruetiirc’ 
is  iieitlier  Hece.ssary  nor  siiffieieiit  to  jiroti'ct  applications  (l<'])loved  on  the  iiifras- 
triK'ture.  Society  relies  in  the  first  instance  on  the  services  provided  by  tlu'se 
applic  ations.  Hence,  critical  applications  nec'd  to  be  protcvted.  Protection  of  (be 
infriustruetiire  is  only  nece.ssary  to  the  extent  recinired  by  the  application.  To  Ix' 
preci.se.  \v(*  have  to  start  from  a  risk  analysis  for  a  given  aj)i)lieatioii  and  then 
decide  which  attacks  are  l)(\st  (l(‘f(md('d  against  within  th('  application,  and  wIkmi 
it  is  better  to  rcdy  on  sc'ciirity  .services  proidded  by  the  infrastructure. 

We  will  illustrate  this  point  with  a  iimnber  of  case  .studies.  With  tlu'  advent  of 
the  World  Wbde  Web  security  functions  such  as  acce.ss  control  started  to  move' 

1.  Kolcuikd  and  V.  Skormin  (Ikls  ):  MMM-AC’NS  2010,  l.NCS  625S.  pp  21  31.  20111. 

0  Springrr-Wrlag  Berlin  Heidelberg  2010 


22 


D,  Gollinaini 


from  tlic  operating  system  into  the  browser.  This  trend  is  still  continuing.  Access 
control  in  browsers  increasingly  resembles  access  control  in  a  traditional  oper¬ 
ating  system.  Attacks  such  as  cross-site  request  forgery  and  cross-site  scripting 
cause  us  to  move  defences  from  the  browser  into  individual  web  pages.  We  will 
then  briefly  cover  DNS  seenrity  and  in  particular  DNS  rebinding  attacks  to  di.s- 
enss  which  security  services  should  be  expected  from  the  infrastructure  (DNS,  in 
this  case)  and  where  the  api)licatioii  should  protect  itself.  Finally,  we  will  discuss 
attacks  on  applications  that  rely  on  SSL/TLS  to  show  that  securing  coinnmni- 
cations  may  not  be  sufficient  for  securing  the  application.  In  simimary,  we  will 
make  the  case  that  seenrity  is  inoving  to  the  application  layer. 

2  Browser  Security 

Ill  the  lOTOs  and  1980s  work  in  computer  security  had  a  strong  focus  on  operating 
system  security.  The  operating  system  can  be  viewed  as  an  infrastructure  compo¬ 
nent  providing  users  and  applications  with  a  file  system,  managing  memory,  and 
managing  processes.  The  security  services  provided  by  this  infrastructure  refer  in 
the  main  to  memory  and  file  inaiiagement.  Processes  should  not  be  able  to  read 
from  or  write  to  memory  locations  allocated  to  other  proccs.ses,  unless  explicitly 
intended  by  inter-process  communications.  Users  sharing  a  machine  should  get 
access  to  files  only  if  jierinitted  by  the  policy  given  (multi-user  security).  Funda¬ 
mental  security  coiice[)ts  such  as  status  information  (supervisor/root  and  user 
mode),  capabilities,  and  access  control  lists  were  developed  in  this  time. 

The  attack<M*  was  a  user  with  (legitimate)  access  to  the  operating  system 
interface  trying  to  enhance  his  privileges  or  to  get  illegitimate  access  to  resources. 
Security  features  in  an  application  could  typically  be  dLsablcd  by  an  attacker  with 
supervisor  permissions  at  the  o})erating  system  level,  for  example  by  changing 
the  security  .settings  of  the  application.  In  this  scenario  application  security 
intrinsically  relies  on  the  security  services  supplied  by  the  infrastructure, 

2.1  Browser  Sandbox 

This  situation  changed  in  tlie  199().s  when  the  Internet  was  opened  to  general  use 
and  the  first  graphical  web  browsers  emerged.  The  attacker  now  was  a  remote 
entity  using  the  interfaces  provided  by  network  protocols  and  in  particular  by 
the  web  browser.  Access  control  in  the  Java  sandbox  could  constrain  code  inde¬ 
pendently  of  any  security  services  inipleiiiented  by  the  operating  system.  If  we 
treat  the  browser  as  an  application  rumiiiig  on  top  of  an  oi)crating  system,  we 
have  an  instance  of  an  application  that  includes  its  own  protection  mechanisms 
without  n'lying  on  seviirity  services  provided  by  the  infrastructure.  The  refejmcc 
nt on i tor  had  moved  from  the  oi)erating  .system  into  the  browser. 

2.2  Software  Security 

At  the  same  time*  software  security  deficiencies  in  the  operating  system  started 
to  attract  much  attention.  A  remote  attacker  could,  for  example,  exploit  a  buffer 


S(*ciir<‘  Applications  without  Secure  Iiifrastmctiiros 


ovnrun  viiliiorability  to  niii  code  on  n  viotiiii's  niaoliiiie  [13].  Pnig-of-death  was 
a  (louial-of-sorvice  attack  of  th(»  same  kind.  To  d('f(‘iid  against  sucli  attacks  tlu' 
iiifrastrnrtiire  had  to  he  seonre  in  the  sense  that  it  could  d('al  with  intentionally 
nialfonned  inputs  [9].  In  otlK'r  words,  tlie  infrastructure  has  to  guarantee  its  own 
(X(rnti()u  hitcgrity  but  does  not  liav(‘  to  supply  th('  a])plicati()n  with  security 
S('i  vic('s. 


3  Web  Page  Security 

A  wvh  pag('  is  recinestetl  by  the  clituit's  browser  through  an  HTri^  rcHpiest. 
HTTP  cooki(‘s  iiichuh'd  in  a  rc'qnest  may  authenticate  th('  client  to  tin*  hrowsc'r. 
S(‘rver-sid(*  scripts  proc('ss  n^piest  i)arainet('rs  to  constriiet  instructions  to  back- 
('11(1  serv('rs.  d1ie  response  is  transmitt('d  from  w('b  s('rv('r  to  client  and  ren- 
(h'H'd  by  th('  (di('iit's  browser.  The  server  may  set  (‘ooki(‘S  in  a  r(\s])()nse  lu'ach'r. 
Dynamic  web  pag(‘s  contain  scripts  acc('])tiiig  user  input.  Scripts  may  ixnpK'st 
fnrtlK'r  s(*rv('r  ('oinu'ctions.  S(‘V('ral  attack  vectors  targi't  this  interplay  between 
cli('nt  and  servers. 

An  attack(*r  may  r(*tri('V('  c()oki('.s  from  the  client,  be  it  to  profile  the  user  or 
to  ns('  the  cooki(\s  to  iinper.sonate  the  (‘lient. 

—  A  inalieions  .script  in  a  w('b  page  may  pi'rforin  inap])r()priate  operations  on 
th(‘  cli('nt. 

A  malicious  scrij)!  may  iis(*  tin*  clii'iit  as  a  st('pping  stone  to  attack  a  third 
party. 

A  niali(‘i()ns  user  may  s('n(l  malfornu'd  ini)nts  in  an  ll  r TP  rixpK'st  to  p(‘rf()ini 
inai)propriat(‘  actions  with  the  help  of  vuhu'rable  server-side  scripts  (('odi' 
iiijc'ct  ion). 


3.1  Code  Injection  Attacks 

SQL  ttrjedfon  is  an  ('xamph*  for  a  code  injecticjii  att/u‘k.  A  s('rv('r-sid('  script  lon- 
stnu'ts  a  SQL  ([iK'ry  for  a  i)ack-('n(l  database  server  as  a  string  put  togetlu'r  from 
c()d('  fragments  that  should  capture  tin*  (piery  logic  and  from  ri'qnest  paraiiK'- 
t(*rs.  Malfornu'd  user  input  in  r(*(iu('st  parameters  can  change  the  (pUTV  logu*  or 
insert  new  database  instructions.  Note  that  a  single  qu()t('  terminates  strings  in 
SQL.  1  h('  attacker  could  thus  submit  input  containing  a  single  (in()t('  followed 
by  SQL  clauses  wliidi  would  tlu'u  b('(‘()me  part  of  the  ciuery. 

To  defi'iid  against  this  attack  w('  could  ('ith('r  include  suitable  sanUizatam 
op(  valors  in  the  script  that  aim  to  deti'ct  and  iK'iitralize  malformed  inputs.  This 
defence  is  located  firinly  within  the  application.  Alti'rnativcdy,  we  could  mod¬ 
ify  tlu*  infrastriK'tiir(*  so  that  it  can  protect  its  own  ('xiunitiou  int('grity.  lnst('ad 
of  (tons! met ing  dataluise  queri('s  as  strings,  queries  are  precompiled  with  plac('- 
holders  for  nsca*  ini)nt.  The  actual  n.ser  input  is  siibsl itnt('(l  for  these  pla.e(diol(l(‘rs 
(bound  parameters)  at  runtinie. 


24 


D.  Gollinanii 


3.2  Origin  Based  Access  Control 

At  the  client  side  the  browser  has  become  the  infrastructure  for  liaiulling  web 
pages.  Today,  tliis  infrastructure  ])rovides  the  following  security  services: 

—  The  browser  controls  how  cookies  an'  included  in  recpiests;  the  widely  adopted 
same  origin  policy  states  that  a  cookie  may  only  be  included  in  requests  to 
the  domain  that  had  set  the  cookie. 

—  The  browser  controls  to  which  extent  a  script  in  a  web  page  may  access 
local  memory;  in  the  initial  Java  sandbox  i)olicy  a  scrij)!  had  no  access  to 
local  memory;  in  tlu'  Java  2  security  model  more  fine  grained  access  control 
became  po.ssibk^  [8], 

—  The  browser  controls  where  a  script  in  a  web  page  may  connect  to;  again, 
the  same  origin  policy  is  usually  applied  to  regulate  this  aspect. 

Ill  all  three  cases  the  browser  perforins  access  control  with  respect  to  an  origin 
ba.sed  security  jiolicy.  To  enforce  such  a  policy,  the  browser  must  authenticate 
the  origin  of  a  web  page.  Current  l^rowsers  do  this  in  a  rudiiiieiitary  way.  They 
translate'  betw('('ii  the  IP  address  of  the  server  the  page  has  been  received  from 
(more  on  this  in  section  4)  and  the  domain  name  of  this  server,  but  there  is  no 
fine  grained  authentication  of  the  individual  parts  of  a  web  page. 


3.3  Cross-Site  Scripting  and  Cross-Site  Request  Forgery 

This  shortcoming  is  exploited  by  (Toss-sUe  script  lug  attacks  (XSS)  [5].  Such  an 
attack  uses  a  Trusted'  server,  i.e.  a  server  with  more  access  rights  than  those 
granted  to  the  attacker,  as  a  stepping  stone.  A  malicious  script  might  be  placed 
directly  in  a  page  on  the  trusted  server  (stored  XSS,  e.g.  via  a  bulletiu  board).  In 
another  version  of  XSS  the  script  is  hidden  in  a  form  in  a  page  on  the  attacker's 
server.  When  a  victim  visits  this  page'  a  reqiu'st  that  contains  the'  hidden  script 
as  a  query  parameter  is  antoinatically  sent  te)  the'  triisteel  serve'r.  Should  the 
server  mirror  this  e|ue'ry  parameter  back  to  the  victim  (e.g.  in  a  resjiouse  to  a 
search)  the'  script  is  exeente'd  in  the  victim’s  browse'i*  with  the  ae’e  ess  rights  of  the 
trusted  serve'r  (reflected  XSS).  XSS  can  be  used,  feir  example,  to  steal  cookies 
from  the  client. 

Autheiiticalie)!!  e)f  eirigin  has  faile'el  iis  it  eliel  not  e:orrectly  e'aptiire  the  true 
origin  of  the  at  tackcr’s  contribution  to  the  page  receiveel  from  the  server.  Cross- 
site  re'quest  feirgery  attae:ks  targeting  a  se'rver  follow  a  similar  j^rinciple  [4].  The 
server  has  to  Trust'  a  client,  i.e.  there  has  to  be  an  authenticated  session  (more 
on  this  in  section  5)  where  the  client  has  more  access  rights  than  those'  granted 
to  the  attacker.  The  attacker  manages  to  scud  actions  to  the  server  within  this 
session,  which  are  then  executed  with  the  access  rights  of  the  clie'iit. 

Client  and  server  could  perform  aiitheiitication  at  the  application  layer  to 
defend  against  this  type  of  attack,  rather  than  relying  on  the  infrastructure 
provided  by  browsers  and  web  servers.  So-called  XSRF  prevention  tokens  are 
message  authentication  codes  for  actions  computed  from  a  shared  secret  that 


Sociire  Applications  without  Secure  liifrastructiin's 


25 


had  been  ('stal)lislie(l  when  the  session  was  created.  It  is  essential  to  store  this 
secret  at  the  client  .side  in  a  place  ont  of  reach  for  an  attaeker  able  to  cinaiinveiit 
th('  laowser’s  origin  based  security  policies.  Onee  more,  the  application  tak(\s  (‘are 
of  security  and  do(’S  not  rely  on  a  s('curity  service  provided  by  the  infrastructure'. 

4  DNS  Security 

Th('  Domain  Name  Syste'in  (DNS)  is,  in  a  nutshell,  a  disti ibute'd  dii('ctor\*  ser- 
viee  managing  information  about  so-called  doniaru  iiaiu(  s.  Its  (ore  sc’rvice  is  the 
mapping  from  host  names  to  IP  addresses,  perforiiu'd  for  each  domain  by  one  of 
the  authoritative  name  seiners  for  that  domain.  TIk'  DNS  is  a  critical  infrast.ruc- 
tiin'  for  th('  World  Wide'  Wei).  Users  rely  on  a  corn'ct  binding  from  host  names 
to  IP  addn'ss  to  g('t  access  to  the  si'rvices  they  wish  to  us('.  Browsers  rely  on 
(‘orn^ct  bindings  when  enforcing  origin  base'd  s('curity  policii's. 

4.1  Cache  Poisoning 

riK’re  ar('  two  tyjx's  of  attacks  that  ])reak  the  corn'ct  binding  betwec'ii  host 
names  and  IP  addri'ssi's.  On  one  side  there  are  the  'traditioiial*  attacks  imp('r- 
sonating  an  authoritative'  name  server  to  forge'  IP  address('s  in  the  domain  of  that 
serve'r.  Cache  poisoning  attacks  exj)loit  certain  fe'at lire's  of  the  DNS,  including 
the*  (‘a(‘liing  strate'gy  of  rese)lving  name'  se'i  vers  anel  a  challenge'- response'  authoii- 
tication  that  relies  only  on  the  niipre'ehct ability  of  (’hallenge's,  to  achieve'  this 
goal.  A  particularly  effe'e  tive  cache  poisoning  attack  using  so-called  additional 
re'soiirce  ivcord.s  is  due  to  Dan  Kaminsky U  Defence's  against  cache  ])()isoning 
attacks  can  be'  jirovided  at  the'  infrasl ructure  le\’e‘l.  e.g.  by  rmmiiig  se'parate 
re'solving  and  authoritative  name  .se'rvers  in  a  domain,  by  ele'signatiiig  random 
ports  for  re'plies  from  the  authoritative  name  .server  as  to  increase'  un])redict abil¬ 
ity,  and  ultimately  by  having  the*  re'sponse  from  the  authoritative  name  ser\e'r 
digitally  sigiie'd  (DNSSe'c,  RFC  4033  to  RFC  1035  [1,2..3]). 


4.2  DNS  Rebinding 

The're  is  a  .se'cond  tyjK'  of  attack  where  an  authoritative  name  scTver  is  the  soure'e' 
e)f  inexirre'ct  bindings.  Such  DNS  rebinding  attacks  iuu\  were*  first  discusse'd  in  [G]. 
DNS  re'binding  attae^ks  ewploiting  feature's  of  browser  jiliig-iiis  are'  elescribe'd  in 
[10].  With  DNS  rebinding  the'  attacker  circumvents  origin  bjuse'd  policies  in  the' 
client  hrowse'r.  Feir  e'xample',  a  scri])t  freiin  a  ])age  hosted  by  the'  attacke'i*  may 
ce)imect  te)  a  victim’s  IP  adelre.s.s  the  browser  accepts  to  be  in  the  attacker's 
domain  bexanse'  it  has  be'e'ii  teild  so  by  the'  attackers  autlioritati\‘e'  name'  se'rve'i*. 

1'he  client  browser  woiilel  ha\'e  to  double  clu'ck  with  the  host  at  the  de'signate'd 
IP  aelelre^ss  whethe'r  it  considers  itself  to  be  in  the  attacke'r's  domain.  It  must  alse) 

For  details  se’e*  e'.g., 

http :  //iinixwiz .  net/techtips/ iguide-kaminsky-dns-  vuln .  html 


1 


2(> 


D.  Gonmanii 


be  noted  that  it  is  an  intrinsic  problem  if  the  client  accepts  policy  inforniation 
from  a  third  party  without  chet  king  its  veracity. 

More  ^('nerally.  we  may  ask  whether  it  is  necessary  for  an  applicat  ion  to  rely 
on  the  DNS  to  provide  an  authenticated  binding  between  a  name  (not  iK'ces- 
sarily  a  iloiuain  name)  and  an  IP  address.  Alternatively,  we  could  split  the  task 
of  a  rendezvous  service  that  binds  a  name  to  an  unautheuticated  IP  address 
from  the  task  of  an  authentication  service  verifying  that  an  addvo.ss  given  indec'd 
l)elongs  to  that  name.  The  security  property  expected  from  the  infrastrnctiire 
woukl  then  b('  availability,  which  might  be  achieved  by  running  mnltiple  inde¬ 
pendent  rendezvous  services.  Address  authentication  could  be  iinplemented  in 
the  application  layer,  e.g.  based  on  secrets  shared  between  client  and  server  such 
as  a  user  password. 

5  Secure  Sessions 

Besides  operating  systems  s(‘curity,  communications  security  has  been  the  .second 
main  pillar  of  information  security.  Protocol  suites  such  as  SSL/TLS  (TLS  vl.2, 
[7])  or  IPsec  [11]  facilitate  the  establishment  of  secure  channels  bc'twcen  two 
parties  that  are  connected  via  an  insecure  network.  More  precisely,  the  thrc'at 
model  iis.snmc's  an  attacker  that  can  read,  delete,  insert,  modify,  and  replay 
traffic;  direct  attacks  against  cud  systems  are,  however,  not  considered. 

In  the  199()s  distributed  applications  w'ere  ‘.secured’  by  ninning  the  application 
over  SSL.  https  is  a  prime'  example  for  this  pattcTii:  a  secure  wc'b  page  is  a 
page  accesscnl  via  an  SSL/TLS  channel.  Application  .security  builds  directly  on 
sc'cnrity  .servi(*es  provided  by  the  comnmiiications  iufrastrnctnre. 

This  approach  has  two  shortcomings.  Many  end  systems  are  not  well  .secured. 
This  invalidatc's  one  major  a.ssnmption  of  the  threat  model  that  nndc'rpins  tradi¬ 
tional  conimmiications  sc^enrity.  Arguably,  it  is  more  realistic  to  a.s.smne  that  the 
connnunications  system  is  secure  but  current  end  systems  are  not,  rather  than 
the  other  way  round.  Section  2  has  already  hinted  at  this  problem.  S('condIy, 
attempts  at  linking  concurrent  sessions  establislu'd  at  different  protocol  layers 
may  fail. 

Considc'r  the  following  i)rocc‘diire  for  establishing  a  mutually  authenticated 
api)lication  layi'r  session  Ix'tween  a  user  and  a  server  that  share  a  .secret  password. 
First,  the  user’s  client  establishes  an  SSL/TLS  chaiiiicl  with  the  server  (host). 
In  this  step  the  client's  browser  checks  that  the  distinguished  name  in  the  scu  veu* 
(‘crtificate  matches  the  host  visited  and  that  the  certificate  is  still  valid.  The  user 
then  scalds  the  password  via  the  SSL/TLS  channel;  the  server  aiithcaiticates  the 
u.ser  and  returns  a  HTTP  cookie  to  the  client.  This  cookie  is  included  in  future 
recinests  issued  within  the  application  layer  .sc'ssion.  The  server  takes  the  cookie 
as  evidence  that  the  requests  are  coming  from  the  user  previously  authenticated. 
The  EAP-TTLS  protcjcol  gives  a  c'oncrete  inipleiiic'ntation  of  this  authentication 
pattern  (Figure  1). 


Sc'curr  Applications  vvitliout  Sc'ciik'  Infrastrnctiin's 


*27 


Fig.  1.  FAP  TuniK'lcd  T1.S:  KAP-T  I  LSvO  with  CHAP 


5.1  Man-iu-tho-Mid(lle  Attacks 

A  protocol  such  as  EAP-TTLS  acliicvt's  its  goal  as  long  as  tlic  SSL/1  liS  cliaiincl 
has  as  its  endpoint  th(‘  server  Iioldiiig  the  i)assw(>r(l.  Tliis  is  not  guaranteed  by 
tlu'  protocol  itself.  Server  aiithi'iitication  during  the  SSL/TLS  handshake  jnst 
gHarant('(*s  that  tlu^  servc'r  has  a  valid  c('rtilic.at(‘.  It.  is  up  to  tlu'  ns('r  to  make 
sure  that  the  host  is  the  oik^  intcauh'd. 

This  (‘h(‘(‘k  is  not  always  st.raiglitforward:  host  naiiK's  arc’  not  always  indica¬ 
tive  of  s('i  vic('  oflered.  Fnrtliermore.  there  exist  various  ways  of  hiring  users  into 
connecting  to  th('  wrong  scm  vcm  .  For  (‘xainpky  an  atta(‘k^  targeting  tradcas  with 
th('  CcTinaii  Rniissioiis  Trading  Antliority  (DEIISt)  startc’d  from  an  email  pur¬ 
porting  to  (*onie  from  a  security  manager  re(|uesting  an  upgrade  to  iinimned 
sc'ciirity  standards^ 

^  First  report  on  http: //www.  f td.  de/unternehmen/f  inanzdienstleister/ : gestoh 
lene-co2-zertif ikate-hacker-greif en-emissionshaendler-an/50069112 .html 
This  mail  in  Gcanian  can  hc'  found  at  http://verlorenegeneration.de/2010/ 
02/03/dokumenation-die-phishing-email-ira-eraissionshandels-hack/ 


28 


E).  Gollinanii 


Fig.  2.  Maii-iii-tlic-iiiiddlo  attack  exploiting  TLS  session  renegotiation 


Once  a  user  is  lured  into  establishing  an  SSL/TLS  channel  with  the  attacker, 
the  attacker  can  act  as  a  iiiaii-in-the-middle  establishing  its  own  SSL/TLS  ehaii- 
iiel  with  the  server.  Authentication  requests  from  the  server  are  passed  on  to  the 
user;  the  user's  response  is  forwarded  to  the  server;  the  cookie  from  the  sc^rver 
is  sent  hack  to  the  man-in-the-middle  who  now  can  hijack  the  user's  application 
layer  session.  A  po.ssible  eonnterineasnre  are  cookies  tied  also  to  the  SSL/TLS 
channel  as  proposed  in  [14].  In  the  i:)resenee  of  a  inan-in-the-iniddle  attack  client 
and  server  use  different  SSL/TLS  ehannels  and  could  thus  detect  that  cookies 
are  not  received  in  the  same  channel  as  they  had  been  originally  sent. 

A  inaii-in-the-nhddle  attack  in  time  is  described  in  [12].  It  exploits  a  partic¬ 
ular  usage  of  SSL/TLS  for  controlling  access  to  protected  resources  on  a  web 
server.  Here,  client  and  server  arc  in  possession  of  certificates.  The  client  ini¬ 
tially  gets  anonymous  access  to  a  secure  web  site  by  establishing  an  SSL/TLS 
diannel  with  .server  authentication  only.  When  the  server  receives  a  rexpiest  for 
a  protected  resource,  SSL/TLS  session  renegotiation  is  triggered  with  a  Hello 
Request  message.  In  the  new  session  the  server  asks  for  client  authentication. 


Secure  Applications  without  Secure  Infrastructures 


20 


applications 
web  page  2()()()s 

- 1 - 

web  browser  1990s 

- ^ - 

operciting  system  1980s 


Fig.  3.  rh(‘  reference  monitor  is  moving  into  the  web  page 


hi  the  iiiaii-iii-th('-ini(l(lle  attack  (h'igiirc^  2)  tlu'  attacker  waits  for  a  session 
initiation  from  the  client.  Th(‘  client's  message'  is  suppressed  and  the  attackc'r 
starts  its  own  st'ssion  with  the  server.  The  attacker  sends  a  request  for  a  pro 
tected  resource  (in  Figure  2  a  web  pag('  is  posted  to  the  server)  whereupon  tlu' 
server  triggf'rs  se'ssion  re'iu'gotiation.  From  this  time  on  the  attacked*  acts  as  K'lay 
between  (  lieiit  that  is  in  the  process  of  establishing  a  new  channel  and  server 
until  both  have  established  a  ik'w  mutually  authenticated  SSL/dTS  ehainu'l.  A 
retpK'st  sc'iit  in  this  new  chaiiiK'l  will  be  attribiit(‘d  correctly  to  the  authenticated 
iiscT  and  executed  wdth  that  user's  access  rights.  The  attacker's  HTTP  reqne.st 
had  been  const riu'ted  so  that  it  would  be  a  pn'fix  to  th('  next  n'qnest  in  the 
current  session  and  will  now  also  be  executed  with  that  iis('r's  acce.ss  rights. 

Note  that  RFC  52 IG  does  not  promise  any  link  hetwec'ii  sessions  wIk'ii  defin¬ 
ing  d'LS  reiK'gotiation.  Application  desigiu'rs  who  had  used  renegotiation  to 
‘upgrade'  the  anthenticalion  status  of  the  client  had  thus  assumed  a  servi(v  not 
pr(jvided  by  the  iiifrastnictiin*.  To  address  this  situation,  RFC  5710  [15]  defines 
a  TbS  extension  wlu'rt'  renegotiations  are  cryptographically  tied  to  llu'  TLS 
connections  they  are  being  pcaforined  ovc'r.  In  this  cast',  the  infrastriKtnre  ha.s 
followt'd  to  meet  the  initially  imwarrantetl  ('xpectalions  of  an  application. 

6  Conclusion 

St'cnrity  is  moving  to  tlu'  application  layer.  Onct',  the  d(\sign  of  secure'  operating 
systt'ins  and  Interiu't  .st'ciirity  protocols  wert'  tlu'  main  foundat  ions  of  information 
st'ciirity.  According  to  the  tlu'ii  predominant  mood,  IT  systems  could  be  usc'd 
securely  once  .secure  infrastructures  were  in  plact'.  Remnants  of  this  era  can  still 
be  found  in  (‘lainis  that  one  MUST  seciirt'  operating  systt'ins  or  the  Internet  to 
be  able  to  securely  use  today *s  critical  IT  infrasl met i ires. 

Wc  observe,  however,  that  seenrity  inechanisins  in  end  systems  are  moving 
to  the  ai)plication  layer  of  the  software  stack.  The  reh'rence  monitor  ha.s  moved 
from  th('  operating  into  web  pages  (Figure  3).  Seenrity  components  at  upper 
layers  may  be  effectivT  without  support  from  below.  This  works  as  long  ms  direct 
ac(‘ess  to  the  lower  layers  need  not  be  considered  ms  a  threat.  In  parallel,  com¬ 
munications  security  mechanisms  have  been  moving  to  tlu'  application  layer  of 
the  protocol  stack.  y\t  the  point  where  end  system  set  nrity  and  coimnimications 
security  meet,  i.e.  in  the  software  components  ruuuiiig  network  protocols,  we 


30 


D.  GoIIinann 


have  seen  shared  secrets  moved  up  to  the  application  layer  to  defend  against 
attacks  at  the  iiifrastnicture  layer  (Section  3.3),  contrary  to  the  conventional 
security  strategy  that  tries  to  ('iiihed  secrets  at  a  layer  as  low  as  possible,  e.g.  in 
tamper  resistant  hardware. 

The  security  services  expected  from  the  infrastructure  may  thus  change  over 
time.  We  can  also  observe  that  our  view  of  what  constitutes  the  infrastructure 
may  change  over  time*.  The  web  browser  that  started  as  a  lu'vv  application  has 
today  become  an  essential  infrastructun*  component  for  Web  services. 

The  Internet  is  a  critical  infrastructure  because  it  is  the  platform  for  critical 
applications.  Our  primary  challenge  is  the  protection  of  these  applications.  Se- 
curity  services  provided  by  tlu'  infrastructure  may  help  in  this  cause,  but  trust 
in  these  servicers  may  also  be  misplaced  when  application  writers  misunderstand 
the  security  properties  actually  guaranteed. 

It  is  a  trivial  obs('rvation  on  security  engineering  that  defenders  ought  to 
know  where  their  systems  will  be  attacked.  When  attacks  are  laimclu'd  via  the 
interfa<‘e  of  web  appli(‘ations,  the  first  line  of  defence  should  be  at  that  layer. 

Attacks  may  Ix'  directed  against  the  application,  e.g.  fraudulent  bank  transfers 
in  an  e-banking  api)lication.  Application-level  access  control  necessarily  relatc's 
to  j)riiicipals  meaningful  for  the  application.  There  ma}'  be  mappings  from  those 
principals  to  principals  known  to  the  infrastructure  so  that  security  services  from 
the  infrastructure  can  support  api)lieation  security.  However,  in  ever}'  instance 
we  must  verify  that  it  is  not  possible  for  attackers  to  redefine  the  binding  between 
principal  names  at  different  system  layers.  We  may  thus  surmise'  that  it  is  more 
likely  to  find  access  control  solutions  at  the  application  layer,  as  borne  out  by 
our  ('arlier  observations  on  refe'rc'iice  monitors.  In  this  respect,  we  have'  secure 
applications  without  a  .security  infrastructure. 

Attac'ks  may  Ix'  dirt'cted  against  the  end  .system  hosting  the  ap])lication.  Soft¬ 
ware  vulnerabilities  in  an  ai)plication  may  present  the  attacker  with  an  oppor¬ 
tunity  to  step  down  into  the  infrastructure.  Although  software  security  is.sues 
could  be  address('d  in  each  application,  it  would  be  desirable  to  have  a  'secure’ 
computing  infra.stnicture,  i.e.  an  infra.structure  that  can  deal  with  malformed  in¬ 
puts  forwarded  via  tlx'  applications.  In  this  respect,  critical  applications  benefit 
from  a  coinpnt  iiig  infrastru(“tur{^  that  can  protect  its  own  ('xecution  integrity. 

The  primary  propc'rty  required  from  the  comimmications  infrastructure  is  avail¬ 
ability.  Security  services  such  as  confidentiality,  integrity,  or  authenticity  may  or 
may  not  be  provided  by  the  communications  infrastructure.  The  relative  merits  of 
delivering  these  .sc'rvices  in  the  various  layers  of  the  network  stack  have  been  dis- 
cu.ssed  extensively  in  the  research  literature.  The  most  relevant  issue  for  critical 
applications  are  the  choice  of  relevant  principals  that  can  .serve  as  logical  endpoints 
for  application  layer  transactions,  and  the  authentication  of  those  principals. 

We  k'ave  the  r<*ader  with  a  final  challenge.  When  security  is  moving  to  the 
application  layer,  responsibility  for  security  will  iiicrea.singly  rest  with  application 
writers  and  with  end  users.  At  this  point  in  time,  neither  of  the  two  commimities 
is  well  prepared  to  take  on  this  task,  but  nor  has  security  research  iinxh'  much 
progress  in  explaining  to  iion-c'xperts  the  implications  of  .security  decisions. 


S('ciiro  Applications  without  Secure  Infrastructures 


31 


References 

1.  Areiids.  R.,  Aiisteiii,  R..  Larson,  M..  Masvsey,  D..  Rose.  S.:  DNS  security  introduc¬ 
tion  and  requirements.  RFC  4033  (March  2005) 

2.  Arends,  R..  Aiistein,  R..  Lars{)ii,  M..  Mass*(*y.  I)..  Ro.se.  S.:  Protocol  modifications 
for  the  DNS  sc'curity  extensions.  RFC  4035  (Marc  h  2005) 

3.  An  lids.  R..  Aiistein.  R..  Larson.  M.,  Massvy,  D..  Rose.  S.:  Rc'sonrec'  records  for  th(’ 
DNS  .security  extensions.  RI^’C  4034  (March  2005) 

L  I3urn.s.  C’ross  site'  refiTcnce  forgery.  Technical  report.  Information  Security  Part¬ 
ners.  LLC.  WMsioii  1.1  (2005) 

5.  (’FRT  (\)ordination  Center.  Malicious  HTML  tags  embedded  in  client  web  rcnjiiests 
(2000).  http://www.cert . org/advisories/CA- 2000- 02.html 

(i.  Dean,  D.,  PVIten,  K.W.,  Wallac.h.  D.S.:  Java  security:  from  Ilot.Iava  to  Nctsca|)<' 
and  beyond.  In:  Proceedings  of  the  1900  IFPdC  Symposium  on  Sec  nrity  and  I^rivacv. 
pj).  190  200  (1996) 

7.  Dierks,  T.,  R(*scorIa.  K.:  TIu’  J’LS  jirotocol  version  1.2.  RI'C  52  It)  (August  2008) 

8.  Ch)ng.  L.,  Dageforde,  M.,  I^llison,  (I.W.:  Inside'  .lava  2  Platform  ScH  urity,  2nd  edn. 
Addison- Wesh'v,  Rc'ading  (2003) 

9.  Howard.  M..  LeBlanc.  1).:  VVViting  Secure  Code.  2nd  c'dii.  Microsoft  Press.  Rt'dmond 

(2002) 

10.  .lack.son.  C..,  Harth,  A.,  Hort/..  A..  Shao.  \\L,  Bonc'h.  D.:  Protecting  browsers  from 
DNS  rebinding  attacks.  In:  Procec'dings  of  the  14th  A(\M  (’onfen'iice  on  ('omputi’r 
and  C’ommniiicntions  Sc'cnrity,  pp.  421  431  (2007) 

11.  Kent,  S.,  Seo,  K.:  Seenritv  architecture  for  the  Interiu't  protocol,  RFC  4301  (!)('- 
cemix'r  2005) 

12.  Marsh.  R.,  Di.spensa.  S.:  Renc'gotiating  TLS.  lechnical  reixirt.  PhonelAictor  liu  .. 
Malvc'rn  (Novisnber  2009) 

1.3.  One.  A.:  Smashing  the  .stack  for  fim  and  profit.  Phrack  Magazine  49  (P)9()) 

14.  0])pliger.  R.,  Hauser.  R..  B.asin,  D.A.:  .SSL /TLS  se.ssi( in- aware  ii.ser  authentication. 
lEPJE  (’oinpnter  41(3),  59  65  (2008) 

15.  Rescorla,  1C,  Ray.  M..  Dispen.sa.  S..  Oskov.  N.:  Transport  layi'i*  security  (1  LS) 
reiu'gotiation  indication  extension.  RI'C  5716  (l'('brnarv  2010) 


Integrating  Types  and  Specifications  for  Secure 
Software  Development 


Grog  Morrisott 


Harviird  University, 

Cambridge,  Massacliiissetts,  02138,  USA 
greg0eecs . harvard . edu 
http : //www . eecs . harvard . edu/- greg 


Abstract.  Today,  the  majority  of  security  errors  in  software  sy.stems 
are  due  to  implementation  errors,  as  opposed  to  flaws  in  fnndaineiital 
algorithms  (e.g.,  cryptography).  Type-safe  languages,  such  as  Java,  help 
rule  out  a  chuss  of  these  errors,  such  as  code-injection  through  buffer  over¬ 
runs,  Blit  attackers  simply  shift  to  implementation  flaws  above  the  level 
of  the  primitive  operations  of  the  language  (e,g,.  SQb-injection  attac'ks). 
Thus,  next-generation  languages  need  type  systems  that  can  express  and 
enforce  application-specific  sc'ciirity  policies. 

Keywords:  di'pcMident  types,  verification,  software-secnrity. 


1  Overview 

hi  fhcoi'y.  thnv  is  no  difftrence  hehveen  thconj  and  practice.  But,  in 
practice,  there  is. 

Jnn  L.  A.  van  do  Siiepsdioiit 


Most  security  problems  today  are  rooted  in  iini)leiiientatioii  cuTors:  faihiri'  to 
chc'ck  that  an  array  index  stays  in  boniids,  failure  to  cluvk  that  an  ini^ut  string 
lacks  escape  charactcTs.  failure  to  check  that  an  integer  passed  to  an  allocation 
routine  is  j)ositive.  etc.  Fiirtherinore,  the  t(H*hniqiies  we  use  for  validating  that 
code  is  free  from  tlu'se  errors  (fuzz  testing,  manual  inspection,  static  analysis 
tools,  etc.)  have  proven  woefully  inadeciuate.  For  example,  in  spite  of  a  large 
security  push  starting  in  2002,  hackers  are  still  finding  buffer  (werruns  in  Mi¬ 
crosoft's  opcTating  systenn  and  other  applications. 

The  irony  is  that  many  of  the  simplest  kinds  of  errors,  such  as  buffer  overrims, 
could  be  preveiitc'd  by  the  use  of  a  type-safe  language  instead  of  C  or  C-j-T.  This 
is  bi'cause  a  type-safe  language  is  required  to  cnforc'e  the  basic  abstractions  of  the 
language  through  a  combination  of  static  and  dynamic  tests.  Languages  such  as 
Jav^a,  Scheme,  and  ML  are  all  examples  of  langtiages  whert’,  at  least  in  iirinciiile, 
biiffiT  overruns  cannot  ot  cur. 


I.  Kotenko  and  V.  Skoriuiii  (Ed.s,);  MMM-ACNS  2010.  LNCS  6258.  pp.  32  .35,  2010. 
©  Springer- Verlag  Berlin  Heidelberg  2010 


Integrating  Typ('s  and  Sporifications  for  Secure  Software  Developnn'iit 


novvever,  in  praeticv  tlune  are  four  problems  with  today’s  type-sah’  language's: 

1 .  It  is  expensive  to  re-write  programs  in  new  languages.  For  (\\ainj)le,  Windows 
consists  of  more  than  GO  luillioii  linens  of  code. 

2.  Today’s  type-safe  languages  perform  poorly  when  compared  to  (’  or  C+  +  , 
particularly  for  systems-related  tasks  (e.g.,  operating  sy.stems.  networking, 
databases,  etc.) 

3.  Today’s  languages  clu'ck  for  buffer  overruns  at  nin-time  and  throw  an  ('xcep- 
tion  that  is  rarely  caught.  This  shifts  tlu'  flaw  from  a  possible’  ee)de  inject ie)n 
te)  a  elenial  of  service  attae'k. 

4.  Idle  tyy)e  systems  for  te)elay’s  language's  are  too  we’ak  te)  e’iife)rce  pe)lie‘ies 
ne’e^ele'el  to  stop  ne\\t-geiicratie)n  attae’ks. 

The'  first  pre)blem  is  a  ke\v  issue  for  legacy  systems,  but  ne)t  fe)r  next-geiu’ration 
enivironmeiits  (c.e;.,  re'll  j)hone’s.  tablets,  t  fc.)  Furthermore,  re)r  key  se'gme’iits  e)f 
the  se)ftware'  marke’t,  nota])ly  the  medical,  military  anel  financial  inehistrie's,  the' 
cost  of  de'vele)ping  highly  se'cure.  new  se)ft\vare  is  practical. 

riie'  e)ther  three*  problem.s  re'cpiire  fimelaiiie'iital  new  re’se'arch  in  the  design  e)f 
.systems  programming  language's.  On  the*  e)iie  liaiiel,  we  need  a  way  te)  e'xpre’ss 
riedi,  applieatie)n-sj)e’e'ific  security  pe)liei('s  anel  automat ie  ally  elu’ck  that  the  e'ode 
re'spe'cts  the>se  polieie's.  On  the'  e)the'r  haiiel,  we  ne’e'el  languages  that,  like  C  anel 
C  f  f .  prejvide  relatively  elire'et  aee^ess  te)  the  niiderlying  machine  fe)r  pe'rfe)rmane‘('- 
eriticcal  e^oeh'. 


2  Refinement  Types 

A  inimber  e)f  rt'seare  hers  are  le)e)king  at  ne’xt-generation  progranmiing  language's 
that  suppe)rt  rcfinvincni  types.  Itefiiiement  type's  take*  the  form  ‘'{.r  :  T  \  P(.r)}'' 
wlu're'  T  is  a  type  anel  T*  is  a  prexlicate  e)ver  value's  of  the  type  T.  For  e'xaniple'. 
the  type  {x  :  int  |  .r  >  0}  e'ai)tnres  the  set  e)f  all  i)e)sitive'  iiite’ge'rs. 

The  principal  e*halleiige'  with  refine’ment  type's  is  finding  a  way  te)  support 
type'-edie'ekiiig.  Some  language's,  such  tis  PLT  Sehenne  [l].  rely  upe)n  elynamic 
elu'cks,  so  that  when  a  value  is  "east  ”  te)  have  a  refiiK’nieiit  type,  the  preelieate'  is 
e'valnate'el  e)n  the  value,  and  if  it  fails,  an  e'xce'ptie)u  is  thrown.  This  is  a  sim|)le  anel 
ewpe'elient  way  te)  ine'e)rporate  refinements,  but  leaels  te)  a  number  e)f  proble'ins. 

First,  it  restricts  the  laiigiicage  e)f  i)reHlieates  that  we  can  use  te)  a  ele'eaelabk' 
fragment.  Sece)nd,  the  se'inaiitie  s  e)f  tlu'se  ruu-time  cheeks  are  ne)t  edear,  e'spe'cially 
wlie'ii  the'  pre'elicate's  e‘an  have  side  effects  e)r  when  the'  preelicate's  iiive)lve  mutal>le 
elata  shareel  amongst  threads.  Thirel.  as  ne)teel  with  array-bounds  clu'cks,  the' 
pe)tential  for  elynamie'  failure'  (an  exception)  pre)viele's  for  a  pe)ssible  elenial  of 
se'rvie*e  attack. 

Te)  aelelre'ss  this  last  i)roble'ni,  many  syste'ins,  suedi  as  .IML#  [2]  try  to  elise  harge 
the'se  tests  at  compile  time'  using  an  SMT  thee)reni  prover.  In  practie*e',  this  we)rks 
well  fe)r  simple  pre'elicates  (e.g..  linear  constraints  e)n  iiitege’is).  but  less  well  fe)r 
'’ele'e'p  pre'dieates”  (e.g.,  this  string  is  well-formed  with  re'spe’ed  to  this  grammar.) 
Fin the'rniore.  SM  I  pre)ve'rs  are  foenseel  on  fragments  e)f  lirst-oreler  le)gic  (with 


G.  MoiTis(’tt 


particular  theories).  In  practice,  we  have  found  that,  just  as  prograiris  need  to 
abstract  over  other  sub-programs,  speeifieatioiis  need  support  for  abstractions, 
and  Ihglier-order  logics  provide  a  powerful  way  to  achieve  this. 

3  Type-Theoretic  Refinement 

Proof  assistants,  such  as  Coq  [3],  provide  a  powerful,  uniform  way  to  write  (a) 
programs,  (b)  speeifieatioiis  and  models  that  capture  desired  properties  of  pro¬ 
grams  ranging  from  simple  typing  and  safety  properties  up  to  full  eorrectness, 
and  (c)  formal,  machine-checked  proofs  that  a  given  program  meets  its  speci¬ 
fication.  Thoy  sacrifice  automation  for  finding  proofs  that  code  is  well-formed, 
relying  instead  upon  progranuners  to  exjdieitly  eonstruct  these  proofs.  In  this 
sense,  they  are  less  convenient  than  fully  autoinat(’d  type-cheeking  teelmiques. 
But  they  are  far  less  limited  than  the  approaches  listed  above. 

For  example,  Xavier  Leroy  and  his  students  have  used  Coq  to  construct  an 
optiinizing  compiler  that  translates  a  (w(dl-defined)  subset  of  C  to  PowerPC 
code,  defined  operational  semantics  for  both  C  and  PowerPC  code,  and  meehaii- 
ically  proved  that  when  the  compiler  succeeds  in  producing  target  code,  that 
code  behaves  the  same  as  the  source  code,  thereby  establishing  the  correct ne.ss 
of  the  compiler  [4].  Coq  is  not  alone  in  providing  support  for  this  style  of  pro¬ 
gram  development:  Other  examples  include  ACL2  [5],  Agda  [0],  Epigram  [7],  and 
Isabelle  [8]. 

N('vertheless,  today's  proof  assistants  suffer  from  a  number  of  limitations  that 
limit  their  applicability.  One  serious  shortcoming  is  that  w(*  are  limited  to  writ¬ 
ing  and  reasoning  about  only  purely  functional  programs  with  no  side  effects, 
iiK  hiding  diverging  programs,  mutable  state,  exceptions,  I/O,  concurrency,  etc. 
While  some  programining  tasks,  such  as  a  compiler,  can  be  formulated  as  a  pure, 
terminating  function,  most  cannot.  Furthermore,  even  programs  such  as  a  com¬ 
piler  need  to  use  a.syniptotieally  effieient  algorithms  and  data  striictiires  (c./;., 
hash-tables)  but  eurreiit  dependently  typed  languages  prevent  ns  from  doing  so. 
Thus  a  fundamental  challenge  is  scaling  the  programining  environments  of  proof 
tissistants  to  full-fledged  progranuning  languages. 

4  Ynot 

For  the  past  few  years,  my  research  group  has  been  investigating  a  design 
for  a  next -generation  programming  language  that  builds  upon  the  foimdation 
provided  by  proof- assistants.  We  believe  that  environments,  such  iis  Coq,  that 
provide  powerful  tools  for  specification  and  abstraction  provide  the  best  biusis 
moving  forward,  and  thus  the  eeiitral  issues  are  (a)  how  to  incorporate  support 
for  computational  effects,  and  (b)  how  to  scale  proof  development  and  mainte¬ 
nance  to  real  .systems. 

In  the  case  of  effects,  we  developed  a  modest  extension  to  Coq  called  Ynot, 
which  is  based  on  Hoare  Type  Theory  (HTT)  [9].  HTT  makes  a  strong  distinction 
between  types  of  pure  expressions,  and  those  that  may  have  side-effects,  .similar 


Intograting  Types  and  Specifications  for  SiHiin'  Software  Dcvelopnient 


do 


to  tli(‘  modality  foiuul  in  Haskell's  monadic  trc'atiiK'iit  of  K)  and  stat(*.  Inipnrc 
expressions  are  dclayvxU  and  tlu'ir  t'fTeets  only  take  place  when  they  are  explit  itly 
run.  Ih'caiise  impure'  ('xpre^ssioiis  are  delayed,  they  can  he  treated  as  “pure” 
value's^  avoiding  some  of  the  i^rohleins  with  n'fiiK'iiu'iits  in  the  pre'senee  of  etiecls. 

In  addition  to  extending  C’o(|  with  support  for  effects,  the  Ynot  project  has 
investigated  te'clmieines  for  effective  systems  progranimiiig.  For  example,  we  hiiilt 
a  small,  re'lational  database  inaiiagement  system  using  Ynot  which  was  deserilx'd 
ill  previous  work  [lO].  This  inchidixl  an  optimizing  (inery  compiler,  as  well  as 
complicated,  pointer-based  data  structures  including  hash-tal)les  and  B  f -trees. 
The  wdiolc  development,  iiudiiding  the  parser  for  queries,  the  query  optiniizc'r. 
th('  data  structures,  and  exeeiition  engine  are  verified  for  partial  correctness. 

Our  experience  building  verified  systx'ius  .softwaix'  in  this  fashion  is  promising, 
but  a  nnmlx'r  of  hard  issiu’s  remain  to  b('  exploit'd.  First  and  forc'inost.  construct¬ 
ing  proofs  of  correctness  demands  a  clean  .specification  for  tlu'  problem  domain. 
And  of  course,  a  bug  in  tin'  spc'cificalioii  can  k'ad  to  a  bug  in  the  code.  So  oiu* 
challengx'  is  finding  speeilications  for  systems  that  can  Ix'  v('rifi(Hl  in  th(*ir  own 
right.  Another  issiu'  is  the  cost  of  developing  and  niaintaiiiing  proofs.  Originally. 
w('  cod('d  proofs  by  hand.  Since  then,  we  have'  shifte'el  teiwarels  a  seini-aiiteiniateel 
style'  that  makes  liberal  use'  eif  cnsteim  lae  tie:s  [11].  The  latter  afiiiroach  ueit  e)nly 
e*nts  the*  size  of  the  proeifs.  but  makes  tln'iii  far  nieire'  robust  te)  ehange's  in  the 
program  e)r  spe'e*ificatiou. 

Finally,  the  programming  language  einbeelele'el  in  Ck)ei  is  a  re'lative'ly  high- 
le'vel,  ML  like*  language'.  Fe)r  iiiaiiv  applientions.  it  is  iek'al,  but  for  many  systems 
prexgramniing  tasks  (e.g.,  hypervisors  e)r  elevice  driv('rs),  it  is  te)e)  higii-leve*l.  Thus, 
we'  still  lack  a  geieiel  knv-level  programming  e'livireimne'iit  whie*h  can  eflective'ly 
re'plae  e  (\ 

References 

1.  PLT  Scheiiie*.  http://www.plt-scheme.org/ 

2.  Le'avciis,  O.T.,  f't  al.:  Pn'Iiiniiiary  dc.sigii  (T  .I.ML:  a  he'havioral  interface  spe'ciHe*a- 

tion  language  for  .lava.  SIGSOFT  Softw.  Fng.  Notejs  1  .'18  (2()l)(>) 

'1.  The  C’(M|  Proof  Assistant,  http://coq.inria.fr/ 

1.  Leroy.  X.:  Formal  veM'ification  of  a  realistic  compiler.  Ckamn.  of  the  AGM.  52(7), 
107  115  (2000) 

5.  AC^L2.  http: //userweb . cs . utexas . edu/^moore/aclS/aclS-doc .html 

(i.  Agda.  http :  //www .  cs .  chalmers .  se/~  catarina/agda/ 

7.  Fpigrain.  http://www.e-pig.org/ 

8.  Isabelle,  http://www.cl.cam.ac.uk/research/hvg/Isabelle/ 

!).  Nanc'vski.  A.,  e't  al.:  Polymorphism  and  se'paratioii  in  lloau?  IVpe  Tlie’orv.  In:  Ilth 
ACM  Inti.  Coiif.  on  Fime  tional  Prog,  j)p.  02  73.  ACM  Pre.ss,  New  York  (2000) 

10.  Malecha,  G..  et  al.:  Towards  a  verified  relational  dataliase  management  systi'in. 
In:  37th  AC’M  Symp.  on  Principk'S  of  F^rog.  pp.  237  24cS.  ACM  Press,  New  York 
(2010) 

11.  Chlipala,  A.,  et  ah:  h^k'ctive  interactive  proofs  for  higher-order  imperative'  [xo- 
grams.  In:  1  1th  ACM  hitl.  Conf.  on  Fimctioiial  Prog.  i)p.  79  90.  ACM  Press,  New 
York  (2009) 


Cryptography  for  Network  Security: 
Failures,  Successes  and  Challenges 


Bart  Prcnccl 


Katholickc  Universiteit  Leuven  and  IBBT 
Dept.  Eloetrical  Eiigiiieeriiig~ESAT/COSlC. 
Ka-stoolpark  Arenberg  10  Bus  244G,  B‘3001  Leuven,  Belgium 
bart . preneelOesat . kuleuven . be 


Abstract.  "Lliis  article  discusses  the  state  of  the  art  of  cryptographic 
algorithms  as  deployed  for  securing  computing  networks.  \V4iile  it  has 
been  argued  that  the  design  of  efficient  cryptographic  algorithms  is  the 
“easy”  part  of  securing  a  large  scale  network,  it  seems  that  very  often 
security  problems  are  identified  in  algorithms  and  their  implementations. 

Keywords:  cryptographic  algorithms,  network  security,  block  ciphers, 
stream  ciphers,  MAC  algorithms,  hash  functions. 


1  Introduction 

The  first  boom  in  cryptography  can  be  attributed  to  the  introduction  of  wireless- 
data  coinrmmications  at  tlie  l)egiiiiiiiig  of  the  20th  century  [28]:  it  is  clear  that 
wireless  coinnninications  arc  as  cjiisy  to  read  for  an  adversary  as  for  the  legitimate 
receiver.  There  is  also  the  mistaken  perception  that  intercepting  wired  conimii- 
iiications  is  really  difficult;  while  tlu’  introduction  of  optical  comnnmieations 
has  rais(Hl  the  threshold,  a  well  motivated  opponent  can  also  bypass  this  hur¬ 
dle.  From  the  1960s.  dedicated  or  switched  wired  networks  w('re  introduced  for 
eompiiter  networks.  Only  military,  governmental  and  financial  conimiinications 
were  encrypted:  until  the  early  199()s  this  encryption  was  mostly  implemented 
in  expensive  hardware  at  the  data  link  layer.  The  developnient  of  the  world 
wide  w('b  re.snlted  in  broad  use  of  cryptography  for  ('-comiiKTce  and  bu.sincss 
applications.  The  underlying  enabling  tcehnologies  are  iiK'xpensive  fast  software 
cryptography  and  open  security  protocols  such  as  TLS  (SSL),  SSH  and  IPsec 
as  introduced  in  the  .second  half  of  the  1990s.  In  sjiitc  of  this  dc'velopment,  only 
a  small  fraction  of  the  Intenu't  traffic  is  encrypted.  Most  of  this  encryption  is 
situated  at  the  network  or  transport  layer:  the  eoniinnnicatiori  is  protected  end- 
to-end  (e.g.,  from  the  browser  in  the  client  to  the  web  server),  from  gateway  to 
gateway  (for  a  VPN  based  on  IPsec  using  timiud  mode)  or  from  c-lient  to  gate¬ 
way  (e.g.,  a  VTN  for  remote  access  to  company  networks),  lii  the  last  decade  we 
have  witnessed  an  explosion  of  wirek'ss  data  networks,  including  Wireless  LANs 
(WTjAN,  IEEE  802.11),  Per.somil  Area  Netw'orks  (PANs  such  as  Bluetooth  or 
IEEE  802.15,  Zigbee  or  IEEE  802.15.4.  and  Ultrawideband  or  IEEE  802.15.  la) 


I.  Kof.onko  and  V^  Sknrniin  (Eds  );  MMM-ACNS  2010,  LNCS  6258,  pp.  36-51.  2010. 
©  Springer- Verlag  Berlin  Ileidelljerg  2010 


Cryptography  for  Nc’twork  ScMairity 


37 

and  \Vir(‘Ioss  Metropolitan  Area  Networks  (WiMAX  or  lEEP]  802.10).  All  these' 
teehnologies  have  beeai  introdiiee'd  with  cryptographic  security  at  the  link  lay(‘r: 
the  ('ally  solutions  are  typically  not  very  robust.  In  addition  inoljile  data  coin- 
iiiiinicatioii  is  growing  on  the  ovohing  GSM  mobile  phones  using  U'clniologic's 
such  as  GPRS  and  H)1)GP]  as  on  the  third  geiH'ratioii  inobik'.s  plioiu's  such  as 
3GSM. 

Pnd  to  end  protection  of  voice  coiumunicatiou  is  a  relatively  recent  phe'- 
iieiine'ne)!!.  The  main  reason  has  Ix'eii  teelmejlogieal  liinitat ie)ns.  but  tluTe  is  al.se) 
a  signiHcant  legal  barrier,  since  governments  want  to  maintain  the  capability 
te)  perforin  wire'taps  for  law  e'liforceinent  anel  national  sevnrity  purposes.  Ana- 
le)g  ve)ice  s(‘rainl)lers  ele)  not  e)H'er  a  vx'ry  high  security  k'vel.  The  US  dele^gation 
in  the  1915  Yalta  ('onfere'iie'e  brought  along  veay  voluniiiious  de'vie‘(\s  for  eligi- 
tal  voie*e'  e'ncryj)tioii;  ap])arently  they  we're  ne\'er  iise'el,  a.e).  feir  the  poe)r  (juality. 
Ethe  ie'iit  eligital  (coding  e)f  voic'c  for  mass  market  prexlucts  arrivi'd  in  t  he  1980s: 
s('e  nre  digital  phones  (('.g.  tlu'  STUs)  be'canie  available,  hut  eiutside  the  ge)vern- 
ine'iit  and  military  ('iivironme'nt  the'V  were  nev  er  successful.  Howe've'r,  today  Ve)i(*e' 
e)\'eT  IP  (Ve)lP)  t('chne)logi(\s  ivsult  in  widespreael  ('iiel-to-enel  security  based  e)n 
software'  ene  ryptie)!!.  The  first  analog  mejbile  phones  piovieled  no  e)r  veTy  we'ak 
se'e  urity.  which  iTsulted  in  serious  embarrassment  (e.g.,  the'  priv^ate  conv'ersations 
of  Prime  Charle's  bc'ing  ex]>os('el  or  the  e'avT.sdropping  ot'  the'  Soviet  nie)l)ile  com- 
niunicatie)!!  sy.stems  by  the  US).  The  Eurejpean  GSM  system  dc'sigiu'el  in  the  late' 
1980s  providi'el  alreaely  much  better  see  urity,  even  if  many  flaws  remain:  the\se 
flaws  did  iie)t  stop  the  system:  in  2010  there  are  more  than  4  billion  GSM  anel 
WCDMA-llSPA  subscribe'is.  The  GSM  se'ciirity  flaws  have  be'iMi  resolwel  in  the' 
3GSM  system,  but  even  the'ie  lie)  end-te)-eud  prote'ction  is  provielexl.  Plie  curivnt 
ge'iierat ion  e)f  smart  phoiu's  users  can  clearly  run  se)ftware'  (such  as  Skype')  with 
this  capability. 

This  .she)rt  article  tenels  te)  l)riefly  ele^scribe  the  situation  in  te'rins  e)f  (‘lypte)- 
graphk'  algorithms  iise'el  in  e‘onimunicatie)n  ne't works.  In  Se'ct..  2  we'  pre'se'iit  an 
update'  e)u  hash  functie)ns,  stream  cij)hers,  ble)ck  ciplu'rs  anel  the'ir  modes,  Se'c- 
tion  3  foeaisos  on  public  k(*y  algorithms  anel  Se'ct.  4  pre^se'iits  the  conclusions. 


2  Syninietric  Primitives 

In  this  sc'Ctioii,  we  discuss  the  fe)lle)wiug  symnietrie'  jirimit ive's:  l)le)(k  e‘i])hex*s, 
stream  ciphers,  MAC  algorithms,  hash  functions  and  meide's  for  antlu'iiticate'el 
(or  nnforge'able)  encryption. 


2.1  Block  Ciphers 

Ble>ck  ciphers  are  a  flexible  building  block  fe)r  many  crypt ogra])hic  api)licatie)ns. 
This  inchide's  the  original  goal  e)f  e'ucryptioii  (in  CBC\  CEB.  OFB  or  CTR  mode), 
but  they  can  alse)  be  use'd  tej  construct  MAC  algorithms  (cf.  Se'ct.  2.3),  hash 
fune'tions  (e'f.  Se'ct.  2.4),  p.se'udo-randejm  functions  and  oiu'-w'ay  fnuctiems. 


38 


B.  Frcncel 


The  DES  algorithm  was  published  by  the  US  goveniiiient  in  the  1970s;  it  is  a 
block  cipher  with  a  64-bit  block  length  and  a  5G-bit  key.  In  sj)ite  of  initial  contro¬ 
versy  around  its  design,  the  deciding  factors  in  the  success  of  the  DES  algorithm 
were  the  standardization  by  the  US  government  and  the  generous  licensing  con¬ 
ditions.  However,  in  the  1990s  it  became  obvious  that  the  5G-bit  key  size  was 
no  longer  adequate.^  The  financial  world  started  moving  towards  two  key  triple- 
DES  in  the  late  199()s:  this  move  was  conij)leted  around  200G,  a  few  years  later 
than  planned.  In  2004  NIST  (National  Institute  of  Standards  and  T(‘chnology, 
US)  aniioimced  that  DES  was  no  longer  adecpiate  and  published  a  triple-DES 
specification  [72];  two-key  triple-DES  is  aj)proved  until  2009,  while  three- key 
trii)le-DES  is  deemed  to  be  adecpiate  until  2030.  Tlu'  modes  for  triple-DES  have 
been  defined  in  ANSI  X9.52  [2].  Tlu'  main  reason  for  the  limited  lifetime  of  the 
two-key  tripl('-DF]S  variant  is  the  attack  by  Wiener  and  van  Oorschot  [95]  that 
recpiircs  2^^  time  when  2"*^  known  plaintexts  are  available;  this  is  not  a  concern 
for  the  financial  sector,  as  keys  are  typically  changed  freqiu'ntly  and  messages 
are  very  short.  On  tlu'  other  hand,  three- kc'y  triple-DES  is  very  vulnerable  to  a 
relatcd-key  attack  [58];  in  this  attack  an  opponent  obtains  the  encryption  of  a 
plaintext  P  under  a  key  K  and  a  key  K  0^  for  a  constant  A,  In  most  contexts 
such  an  attack  is  not  feasible,  but  an  cxcci)tion  is  ai^plications  that  use  control 
vectors  [G8]. 

In  1997,  NIST  started  an  o])en  competition  to  find  a  replac('nient  for  the  DES. 
The  AES  algorithm  hi\s  a  block  of  length  of  128  bits,  and  should  sni)port  keys 
lengths  of  128,  192  and  256  bits.  In  October  2000  NIST  selected  the  Hijndacl 
algorithm  (designed  by  the  Belgian  cryptograj)hers  Vhneent  Rijnien  and  Joan 
Daemen)  as  the  AES  algorithm  [24,39].  In  2003,  the  US  government  annonnc(‘d 
that  it  would  also  allow  the  use  of  AES  for  secret  data,  and  even  for  toj)  .secret 
data;  the  latter  applications  require  key  lengths  of  192  or  256  bits.  AES  is  a 
rather  elegant  and  mathematical  design,  that  aiiiong  the  five  finalists  olfcnnl 
the  best  combination  of  security,  performance,  cfficic'ncy.  implement  ability  and 
flexibility.  AES  allows  for  compact  implementations  on  8-bit  smart  (‘aids  (36 
bytes  of  RAM),  but  also  highly  efficient  implementations  on  32-bit  architect uri's 
(15  cycles/byte  on  a  Pentinm  III  and  7.6  cych^s/b^^te  on  a  Core'  2  [55]).  Moreover, 
hardware  inij)lenientations  of  AES  offer  good  trade-offs  between  size  and  speed. 
AES  has  bcK'ii  taken  np  quickly  by  many  standards  and  iinplemeiitations;  in 
May  2010  more  than  1300  AP]S  implement  at  iems  have  been  validated  by  tlu'  US 
government. 

So  far,  AES  has  n'si.sted  all  shortcut  attacks,  including  algebraic  attacks.  In 
2009,  it  w'as  demonstrat'd  by  Biryukov  and  Khovratovich  [11]  that  AES-192  and 
AES-256  arc  vulnerable  to  related-key  attacks:  the  attack  on  AES-256  requirc's 
4  relatcxl  keys  and  2^^'^  ('iicryptions,  which  is  much  h'ss  than  Tlu^se  attacks 
indicate  that  they  kc'v  .s('hediile  of  AES  should  have  been  stronger;  on  the  other 
hand,  tlu'y  clearly  do  not  form  a  practical  threat  and  one  can  easily  defend 
against  them  by  not  allowing  any  key  manipulations  or  by  hashing  a  key  Ix'fore 


A  US  $  1  million  inachine  today  would  recover  a  DES  key  in  a  few^  seconds  the 
same  design  would  have  tak('ii  3  hours  in  1993  [103]. 


I 


C’rvptogra])Iiy  lor  Ni'lw'ork  ScTuritv 


use.  It  is  hIso  worth  to  point  out  that  it  is  not  possible  to  design  a  eipln'r  tha! 
is  scH  iire  against  any  related  key  attack. 

In  2010  Dnnkehuaii  (t  al.  [31]  have  ]nil)li.sh(Hl  a  related  key  attack  on  the  (il- 
l)i!  block  cij)her  KASUMI  (that,  is  standardized  for  CSM  under  the  name  Ar>/3 
and  that  is  also  used  for  rncryj)tiou  in  3GPF);  tlu'  attac'k  r(*(jiiir(‘s  4  relaUnl  kc\vs, 
2*^^*  plaintc'xts.  2^^  bytes  of  nieinory  and  time  2^^^;  while  these  coin])lexities  an* 
ratiu'r  low,  the  attack  c'aimot  l)e  aj^plic'd  to  KASUMI  as  deployed  in  cnrn'iit 
mobile*  lu't  works. 

The  most  powc'i  fnl  attac  ks  against  AES  and  other  block  ciphers  have*  not  he(*n 
pun*  math(*inatic‘al  attacks,  but  timing  attacks  based  on  cache  eifects  this  kind 
of  attack  apphc*s  in  principle  to  any  cryptographic  algorithm  implemc'ntatioii  that 
nsc*s  table's  (see  e.g.  [9,70.9 4]).  bliis  attac‘k  is  oik*  of  the  rea.sons  why  Intc*l  has  dc*> 
ci(l(*d  to  add  d(‘dic^atc*cl  AES  instructions  to  its  j)n)C’cssors  from  2010  onwards  [14]: 
th(*se  instructions  also  boost  tlu*  perfonnaiice  of  AES  to  about  0.75  cyclc's/bytc* 
(in  decryption  mode).  Note*  that  the  fast  iinj)lem(*ntat  ion  of  AES  of  Kaspc*r  and 
Schwabc*  [55]  is  bitslicc'd  and  hc'iice  nc:)t  vulnerable  to  cache'- basc'd  attacks. 

2.2  Strc'aiii  Ciphers 

Ih'cansc*  of  their  low  im))l('inc*ntation  cost,  addit.i\c*  stivam  ciphers  have  bc*en  the* 
work  horse*  of  symmetric*  cryj)tography  until  the  1980s.  14iey  take  as  input  a 
short  secret  key  and  a  ])nblic  initialization  value  JV  and  stretc‘h  this  to  a  long 
string  that  can  be*  sinij)ly  acldc'd  to  the*  j)laintc*xt  io  yic'lcl  the  ciphertext.  This 
implic's  that  the  eiicryi^tion  transformation  is  very  simple*  but  dc'])c'iicls  on  the* 
lc:)cation  in  the  plaintc'xt.  Hardware*  c)rie*nted  str(*am  ci])hers  ty])ic‘ally  o])(*rat('  on 
short  data  units  (hits  or  bytes)  and  have  a  small  footprint.  The  initialization 
value  l\'  s('rv(*s  for  rc\sync‘hrc)nization  i)iiri)os(*s.  Both  the  I\'  and  the  internal 
memory  ne*c*cl  te:>  be  siilliciently  large  te^  resist  timc'-ine'inory-data  trade'otfs  (se'e* 
for  example*  [10,02]). 

From  the  IfKiOs  to  the*  late  1980s,  most  stream  ciphe*rs  were  b<\secl  on  bine'ar 
Feedback  Shift  Hc'giste'is  (bl-SBs)  that  are  oj)tinial  for  hardware  implenu'nta- 
tions  (se*('  for  e*xanii)le  Riie))i)el  [87]  and  Meiu'/(*s  rt  al.  [71]).  However,  it  has 
become  e  Ic'ar  that  most  LFSH-basc'd  strc*am  ciphers  arc*  miieli  Ic'ss  sc*cnre  tluui 
c*xp(*e4c‘d;  powerful  nc*w'  attac*ks  include  fast  correlation  attac‘ks  [70]  and  alge*- 
braic  attacks  [23].  Notable*  caypt analytic  snerc*ssc*s  are  the  attack  hv  Barkan  and 
Biham  [3]  on  A5/1  (the  stream  cipher  used  in  GSM)  and  the  attac'k  by  bn  rt 
al.  [05]  on  EO  (the*  stre*am  c‘ii)he'r  \ised  in  Bhie*tooth).  Both  attac‘ks  are  rc'alistic 
attacks  on  wiele*ly  iise*el  algorithms. 

HC4  has  l)c*en  ele*signe*cl  in  1987  lyy  Rivest  for  elficient  software  e*ncryptioii  em  8- 
bit  machine's.  RC4  w'as  a  trade  secret,  but  leaked  out  in  1991;  it  is  currently  still 
impleinentc'cl  in  browsers  (SSb/TLS  protoe'ol).  \\4hle*  several  statistic'al  wc*ak- 
ne*sses  have  bc*en  icl(*ntific*cl  in  RC4  [40.77],  the  algoritlnu  sc*c‘ms  to  resist  kc*y 
recovery  attac'ks. 

In  the  last  dc'cacle,  fast  str(*am  cij)hc*rs  have  been  prc)|)C)S(‘(l  that  are  orientc'd 
tow^ards  32-bit  and  04-bit  processors.  Two  stream  ciphers  that  have  b(*en  in- 
cIucIchI  into  the  ISO  standard  are  MUGl  [100]  and  SNOW  [33];  a  si rengt h(*nc*d 


40 


B.  Prenoc! 


variant  of  SNOW  has  been  selected  as  i)ackup  algorithm  for  3GSM.  Between 
2001  and  2008  the  EU  Network  of  Excellence  ECRYPT  [32]  has  organized  an 
open  competition  eSTREAM  with  as  goal  to  identify  promising  stream  ciphers 
that  are  either  very  fast  in  software  (128-bit  key  and  G4  or  128-l)it  IV)  or  that 
offer  a  low  footprint  in  hardware  (80-bit  key  and  32  or  G4-bit  IV).  During  the 
four  years  of  the  eoinpet  ition.  dozens  of  stream  ciphers  have  la'cn  broken.  The 
competit  ion  has  resulted  in  a  portfolio  with  four  software-oriented  ciphers  with  a 
performance  of  3-10  eycles/bytc  (HC-128,  Rabbit,  Salsa20/12  and  Sosemanuk); 
three?  hardware-oriented  ciphers  are  recommended  (Grain,  Mi(‘keyv2.  and  Tii\- 
iuni).  All  important  conclusion  from  the  eSTREAM  project  is  that  for  very  low 
footprint  impUmientations,  G4-bit  block  ciphers  are  more  efficient;  however,  if 
one  desires  a  very  high  performance  implementation  with  a  low  hardware  cost, 
the  hardware-oriented  strc'aiii  ciphers  offer  an  improvement  with  a  factor  of  two 
to  four  over  block  ciphers.  More  details  on  the  eSTREAM  (‘ompetition  can  be 
found  in  [84]. 

2.3  Message  Authentication  Codes  (MACs) 

Message  Authentication  Codes  are  us(?d  to  authenticate  messages  between  par¬ 
ties  that  share  a  secret  key.  MACs  are  widely  use  in  networks,  liecause  they 
arc  more  effioic'iit  in  ti'rins  of  performance  and  memory  than  digital  signature 
schemes.  The  most  widely  used  constructions  are  derived  from  block  ciphers  or 
hash  functions. 

The  most  popular  MAC  algorithm  for  financial  transactions  is  still  CBC- 
MAC.  Initially,  variants  based  on  DES  were  used;  these  have  been  migrated  to 
triple-I)F]S  variants.  AES  is  gradually  replacing  DES  for  this  application  (cf. 
Sect.  2.1). 

The  CBC-MAC  construction  ba.sed  on  an  n-bit  block  cipher  can  be  described 
as  follows.  First  the  input  string  is  padded  to  a  multiple  of  the  block  length,  and 
the  resulting  string  is  divided  into  t  ??-bit  blocks  x\  through  .?>. 


Cl  ;=  Ekiro) 

Ci  :=  Ek(xi  ©c,_i), 


(1) 

(2) 


1  <  7  <  /  . 


Here  0  denotes  the  bitwise  exclusivc-or  operation.  Note  that  imlikf'  in  CBC 
eneryption  no  IV  value  should  he  used.  The  reeomnuaided  variant  for  use  with 
DES  is  the  ANSI  retail  MAC  [1]:  it  computes  the  MAC  value  with  two  inde¬ 
pendent  keys  k  and  A'':  MAC^.(jo  • =  Ih  {Eu>{ct)).  For  AES.  EMAC  is  the 
preferred  construction:  MACa(j'o  . .  =  Ek>{ct).  Here  A:'  is  a  key  derived  from 

k.  An  even  simpler  s(‘henie  is  LMAC;  it  uses  the  key  A:'  for  the  hist  eneryption 


{i  =  t). 


NIST  has  published  vet  another  variant  under  the  name  of  CMAC  [73]  (CMAC 
was  previously  called  OMAC  [53],  which  is  an  optimization  of  XCB(^  [14]). 
CMAC  modifies  the  last  computation  in  CBC-MAC  by  exoring  k2  or  kS  to 
Xt.  The  key  k2  is  chosen  when  the  last  liloek  Xt  recpiires  no  padding  (i.e.,  it  is 
of  length  ?i),  while  A*3  is  chosen  otherwise.  The  keys  A*2  and  A’3  are  computed  as 


Cry]:)t()grai)hy  for  Network  S(‘eiirity 


A*2  =  ‘2’  •  Ek{(y^)  and  k3  —  ^4’  •  where  0^^  denotes  the  //-bit  all  zero 

string,  '2*  and  '4*  are  two  elements  of  the  finite  field  F2"  •  and  represents 
nuiltiplication  in  the  finite  field  F2ti . 

On  the  Internet,  HMAC  is  by  far  the  most  popular  eonstrnetion  [5];  in  the  light 
of  the  attacks  on  MD4  and  MD5  (cf.  Sect.  2.4).  the  HMAC  .seenritv  analysis  has 
been  rehned  by  Bellan'  [1].  The  state'  of  the  art  in  cryptanalysis  is  that  HMAC- 
MD1  has  been  broken  by  Leiin'iit  ct  al.  [41];  their  attack  reqnire's  2^^  cbo.sen  texts 
and  2’^'’  computations.  Some  doubts  have  bee'n  cast  on  IIMAC-MD5  [21,59]:  tlu' 
Ix'st  known  attack  on  HMAC-MDo  is  a  related  key  attack  that  reqiiin'S  2"^^ 
chosen  plaintexts  and  2^^^^^  time  (see  also  [99]).  For  the  time  the  security  margin 
offered  by  HMAC-SHA-1  is  acce'ptabk'. 

Ill  the  past  five  years  tlu'n'  has  bet'ii  a  growing  intere.st  in  unconditionally 
seelin'  MAC  algorithms.  They  were  introduced  as  authentication  codes  by  Sim¬ 
mons  [92]  and  more  practical  constructions  wc'ri'  known  as  univ(*rsal  hash  func¬ 
tions  (following  Carter  and  Wegman  [101]).  If  tlu'v  are'  ce)nibined  with  a  ble/ek 
cii)her  (such  Jis  AES)  eir  a  pseiide)-raiielom  function  (siieh  /is  HMAC),  the  un- 
('eniditional  security  is  kjst,  but  they  result  in  MAC  algorithms  that  are  very 
ellicie'iit  and  elegant.  UMAC  [13]  is  about  10  time's  fastc'r  than  CBC-MAC  baseel 
e)n  AES  or  HMAC-SHA-1.  but  it  e)ff('rs  a  limited  ke'v  agility  and  has  a  rathe'i* 
large'  Ranelom  Ae'cess  Me'inory  (HAM)  re'epiirenient;  inore'over,  Hanelsdiiih  anel 
Pre'iieel  have  demonstrate'el  [45]  that  for  a  large  class  e^f  MAC  alge^rithms  base'el 
on  universal  hash  functions  (ine'lueliiig  UMAC)  a  few  forgeric'S  leael  te)  eflicie'iit 
ke'y  re'eenery.  Be'rnsteiirs  Peily  1305-AES  [9]  is  eine  of  the  ceiustructieHis  ba.se'el 
e)n  polynomial  universal  hashing.  It  is  only  thre'e'  timers  faste'r  than  AES,  but  it 
has  a  be'tte'r  key  agility  than  UMAC’  anel  re'qnires  k'ss  HAM;  it  se'e'iiis  alse)  k'ss 
viiliu'rable  to  ke'v  recove'vy  attae’ks. 


2.4  Hash  Functions 

C^rypteigraphic  luush  functions  are  a  wiek'lv  ek'plem'el  primitive'  fe)r  me'.ssage  au¬ 
thentication.  The'y  compre'ss  strings  e)f  arbitrarv  k'ligths  to  strings  e)f  fixe'el  k'ligths 
(typically  between  128  and  256  hits).  Crypte/graphic  hash  functions  lu'ed  te)  sat¬ 
isfy  the  following  thre'e  se^curity  preiperties  [71,79]: 

preimage  re'sistaiice:  it  she)iikl  be  liarel  to  liiiel  a  pre'iniage  for  a  give*n  hash 
re'sult : 

2nel  preimage'  re'sistance:  it  she)nld  be'  harel  te)  finel  a  2nd  jneimage  for  a  given 
input: 

—  ce)lli.sie)n  re*sistane‘e:  it  .she)nlel  be  hard  te)  find  twe)  elifferent  inputs  with  the' 
same  hash  result. 

For  an  ieleal  hash  function  with  an  7i-bit  result,  finding  a  (2ud)  preiniage'  re'- 
epiire's  ai)i)roxiuuitely  2^'  hash  functie)n  evaluations.  On  the  other  hand,  fineling 
a  collision  iTepiire'S  only  2”/"'  hash  fune‘tie)n  evaluations  (as  a  ce)nse'eiueiice'  e)f 
the  birtlielay  paraelox).  Collision  resistance  iiiqilies  2nel  preiimige  re'sistane  e*,  but 
the  fe)rnial  re'lation  between  tlu'se  definitie)ns  is  uie)re  complex  anel  subtle'  than 


42 


B.  Pmiool 


one  would  expect  (sec'  Rogaway  and  Slirimpton  [8()]).  In  practice  on  recpiires 
also  other  properties  such  as  indifferent iability  froui  a  random  oracle  [22],  and 
pseudo- randoiniiess  (this  assumes  that  a  secret  key  is  part  of  the  input). 

The  main  application  of  hash  function  is  digital  signature  schemes,  in  which 
one  signs  the  hash  value  of  a  message  rather  than  the  message  itself.  Digital 
signatures  are  used  in  some  key  establishment  protocols  to  bind  a  protocol  mes¬ 
sage  to  an  entity.  Hash  functions  can  also  be  used  to  construct  MAC  algorithms; 
the  most  poi)nlar  construction  of  this  type  is  HMAC  (cf.  Sect.  2.3).  HMAC 
constructions  are  also  used  for  deriving  symmetric  keys  in  protocols  such  as 
Diffie-Ilelhnaii.  In  practu'e  HMAC  is  used  with  hash  functions  such  as  MD5, 
SHA-1  and  RlPEMD-160.  In  the  SSL/TLS  protocol,  a  hash  function  is  used  at 
the  end  of  the  handshake  protocol  (in  which  the  cipher  suites  are  negotiated)  to 
confirm  the  integrity  (TLS  version  1.0/1. 1  uses  the  concatenation  of  MD5  and 
SHA-l,  while  in  TLS  version  1.2  a  singk'  hash  function  is  used). 

In  the  last  decade,  a  iiniiiber  of  structural  weaknesses  have  been  identified 
ill  hash  functions;  these  weaknesses  are  related  to  the  way  cryptographic  hash 
functions  are  constructed  from  smaller  building  blocks.  Most  constructions  use 
a  simple  iteration,  and  are  therefore  calk'd  iterated  hash  functions.  The  most 
remarkable  attack  is  a  result  by  Joiix  [54]  who  shows  that  if  finding  a  collision  for 
an  iterated  hash  function  takes  time  T  (for  an  ideally  secure  hash  function  T  = 
2"/^),  one  can  find  2“*  strings  ha.shing  to  a  single  value  in  time  s-T.  As  an  exanipk', 
finding  a  billion  messages  that  all  hash  to  the  same  result  requires  only  thirty 
times  the  effort  to  find  a  single  collision.  This  result  has  the  surprising  corollary 
that  the  concatenation  of  two  iterated  hash  functions  (.7(.r)  =  /ij  (a*)||/i2(-r)) 
is  only  as  strong  as  the  strongest  of  tlu^  two  hash  functions  (evc'ii  if  both  are 
independent).  If  //,;  is  a  hash  function  with  an  r/,-bit  result  (/'  =  1,2  and  w.l.o.g. 

>  ^^2)’  finding  a  collision  for  g  requires  time  at  most  ni  •  2'^2/2 
2ini-\-n2)/2  Hndiiig  a  preiniage  or  2nd  preiniage  for  g  requires  time  at  most 
7i\  *  4-  2^*^  -h  2"2  If  either  of  the  functions*  is  weak,  the  attacks 

may  work  better.  This  attack  is  particularly  relevant  siiK  c  weaknesses  have  been 
discovered  in  several  widely  used  hash  functions  (cf.  supra)  and  the  concatenation 
construction  has  been  proposed  as  a  robust  solution  (e.g.  in  SSL/TLS).  It  seems 
that  once  the  collision  resistance  of  our  current  iterated  hash  fuiu'tions  br(*aks 
down,  the  other  security  properties  are  also  undermined. 

Until  recently,  the  most  widely  used  hash  functions  were  MD5  and  SHA-1. 
MD5  is  a  128-bit  hash  fnnetion  designed  by  Rivest  in  1991  [82];  it  is  a  strength¬ 
ened  version  of  MD4.  MD5  was  one  of  th('  first  c  ryptographic  algorithms  that 
was  dc'sigiied  to  be  fast,  on  32-bit  processors  in  software'.  Early  cryptanalytic  rc'- 
sults  by  deu  Boc'i*  and  Bosselaers  [20]  and  Dobbertin  [30]  indicated  that  finding 
collisions  for  MDS  would  require  less  than  2^^^  operations;  in  si)ite  of  the  fact  that 
cryptographers  advised  against  using  MD5,  the  algorithm  has  bc'en  widely  de¬ 
ployed.  The  first  collisions  for  MD5  wcTe  .announced  in  2004  by  Wang  et  ai  [98], 
who  wc're  able  to  push  the  limits  on  difk'rential  attacks  by  introducing  some 
innovative  cryptanalytic  tc'cdniicpies;  their  attack  rc'quired  time  2‘^^,  which  corre¬ 
sponds  to  a  few  hours  on  a  PC.  Since  then  tlu'  attack  Inas  been  further  optimized; 


Cryptography  for  Network  Security 


\:\ 

tho  Ix'st  collision  stvirch  algoritinii  known  today  rctjuircs  niillist'conds  [93].  While 
this  rejMesents  a  major  breakthrough,  it  is  iin]>ortant  to  note  that  with  alxnit 
USSlOOOOO  of  hardware,  a  Inuite-foree  collision  search  for  MDo  (or  any  r28-l)it 
hash  hinction  of  coniparabh'  t'ost)  should  tak<‘  a  ft'w  days  with  th<'  design  of  van 
Oorschot  and  Witaier  [9G]. 

In  191)0,  NIST  has  ])nl)lish(Hl  SIlA-1  [37];  it  is  a  strengthened  version  ofSHA. 
which  was  standardiz('d  two  years  earlier  [39]  (SIIA  is  now  called  SIIA-O  by  sonu' 
n 'searchers).  Both  SIIA(-())  and  SIIA-1  have  a  IGO-bit  result.  While  SHA-l  is 
slow('r  but  inoH'  sc'cnre  than  MOf).  it  becanu'  very  po])nlar  for  a])])licati()ns  that 
n'qiiirt'  long  t('nn  st'cnriiy.  In  2005,  Wang  t  f  ai  [97]  have  piiblisht'd  a  collision 
st'arch  algorit.hin  for  SIIA-1  that  rt'tpiires  only  2^^'^  steps,  which  is  2000  tiiiK's 
fa.ster  than  a  brute  force  collision  st'arch.  Fivt'  yt'ars  lat('r,  .sevt'ral  res(*a.rch('rs 
hav('  announced  iin])rovein('nts  (sonietinii's  even  very  sj)ectactilar  ones),  but  so 
far  none  of  these' attacks  has  inat('rializ('d.  In  2005.1oiix  vi  ai  [54]  fonnd  collisions 
for  SIlA{-0)  with  coni])lexily  2'^^  Today  the  best  collision  attack  for  SHA-0  by 
ManiK'l  and  Be'vrin  [G7]  takes  only  2’^’^  stei)s.  The  ini])licalions  of  the  attack  on 
SHA(-O)  art'  limited,  since  this  algorithm  is  not  d('])loy('d. 

Th('  colli.sion  attacks  on  MD4  and  MD5  art'  (piitt'  nnnsnal  in  the  sc'iisc'  that 
tlit'y  are  t'xtre'iiK'ly  ('llicieiit.  However,  so  far  tht'ir  prattical  im))li(‘ations  have' 
bt'en  liniitc'd,  as  vt'ry  ft'w  applications  n.st'  digital  signatint's  and  vt'ry  ft'w  a})|)li- 
cations  rt'tjnirt' collision  re'sistanct'.  In  Deceinbt'r  2008,  Sotirov  t't  al.  [93]  ('realt'd 
a  rogiK'  (’A  ct'rtificate  using  MD5.  wliidi  allows  tlu'in  to  inijx'rsonate  any  web- 
.sitt'  on  tlu*  Interiu't.  This  attack  reeiiiired  crvj^tanalytic  improvt'inents  bt'vond 
simple  collision  .search.  Only  after  this  attack,  sevt'ial  Ct'itiHt'at ion  Anthoritit's 
dt'eidt'd  to  removt'  MD5  from  tht'ir  offerings.  Whilt*  there  is  substantial  progrt'.ss 
with  j)rt'iniag(‘  attacks  t)n  MD  1  and  MD5,  these  attacks  are  hir  from  ])ractit'al. 
Lt'urent  (>4]  has  shown  that  int'iniagt's  ft)r  MD4  (‘an  be  found  in  2^^^*^  st('])s,  and 
the  ])reimage  attack  by  Sasaki  and  Aoki  [89]  on  Ml)5  has  (‘oinpk'xity 

UIPFMD-IGO  [19]  toiild  at  t  as  a  replacement  ft)r  SIIA-1;  it  st't'ins  tt)  resist  all 
crvptanalytie  ellbrts.  NISI"  has  alst)  a  series  t)f  standartls  t  hat  offt'r  longer  hash 
r('sults:  SHA-25G.  SlIA-221,  SHA-384  and  SHA-5r2  [38].  whit'h  are  knt)wn  nndt'r 
the  common  namt'  SHy\-2.  Cryjrtanalysis  t)f  the  SlIA-2  family  snggc'sts  that  this 
st'ct)ntl  gt'iieration  fimctions  has  a  substantial  scx'iirity  margin  against  collision 
attacks  (tlu'  n'snlts  by  Indesteege  et  al.  [48]  and  Sanadhya  and  Sarkar  [88]  can 
only  br('ak  21  otit  of  G1  steps  of  SHA-25G).  A  third  alt<'rnati\  ('  is  Whirlptx)!, 
a  design  by  Hijim'ii  and  Barrc'to  [51]  basc'd  on  the'  dc'sign  principles  of  AES. 
For  th('  most  r(*c(*nt  status  of  attacks  on  Whirl i)ool.  s('('  [Gl].  All  tlu'.se  hash 
fimctions  have  Ix'c'ii  standardiz(xl  by  ISO  in  IS  101 18  3  [51].  together  with 
SIIA- 1. 

NIST  is  cnrrc'ntly  running  an  open  competition  for  a  new  hash  ftmetion  stan¬ 
dard  that  will  be  calk'd  SllA-3.  Sixty-four  submissions  have  Ix'en  n'ceivc'd.  11 
of  which  arc'  cnrrc'iitly  Ix'ing  ('\alnated  in  the  swond  rotnid.  It  is  ex])ect('d  that 
NIST  will  aimounee  the  winix'r  by  mid  2012.  For  more  cU'tails  on  tlu'  SIIA-3 
comjx'tition  and  on  the  state  of  hash  functions,  see  [79]. 


44 


B.  Preneel 


2.5  Authenticated  or  Unforgeable  Encryption 

Most  applications  need  a  secure  channel  l)ctwcen  sender  and  receiver:  such 
a  channel  requires  both  eonfidentiality  and  data  authentication.  In  the  1980s 
and  1990s,  separate  primitives  were  introduced  for  each  of  these  properties. 
However,  it  is  not  so  hard  to  show  that  eonfidentiality  proteetion  without  data 
authentication  can  lead  to  serious  problems;  in  particular,  such  a  scheme  is  vul¬ 
nerable  to  a  chosen  ( iphertext  attack  in  which  the  opponent  uses  decryption 
queries  to  learn  information  on  the  plaintext.  Practical  chosen  eij^hertext  at¬ 
tacks  have  been  demonstrated  by  several  authors;  w^e  just  mention  the  attack  by 
Canvel  et  ai  on  SSL/TLS  [20]  and  the  attack  by  Degabriele  and  Paterson  on 
IPsec  [25] . 

The  first  apj^roach  to  achieve  both  i)roi)erties  was  to  introduce  redundancy  to 
the  plaintext  before  encryption  in  order  to  achieve  both  goals,  but  this  is  clearly 
not  adequate.  A  first  formalization  of  unforgeable  enci'}  i)tion  was  j^ublished  by 
Katz  and  Yung  [5G].  Bellarc  and  Namprenipre  [6]  showed  that  if  the  MAC  al¬ 
gorithm  satisfies  a  strong  security  requirement  (namely  strong  unforgeability), 
the  best  generic  solution  is  to  apply  a  MAC  algorithm  to  the  ciphertext  (the  so- 
called  Enerypt-th('n-MAC  model),  which  is  the  option  chosen  by  IPsec.  Other 
alternatives  (MAC-then-Encrypt  of  SSL/TLS  and  Encryj^t  and  MAC  of  SSH) 
can  also  be  shown  to  be  secure,  but  thc}^  require  a  specific  rather  than  a  generic 
analysis  (e.g.,  taking  into  aceonnt  the  spix'ific  encryption  mode). 

The  above  schemes  require  both  an  eiuTyption  algorithm  and  a  MAC  al¬ 
gorithm.  Jutla  showed  that  it  was  possible  to  achieve  both  proi)erties  at  a 
much  lower  cost;  for  this  i)ur])ose  he  introduced  in  2000  two  modes,  the  lACBC 
(Integrity- A  ware  Cipher  Block  Chaining)  and  lAPM  (Integrity- A  w^are  Paralleliz- 
able  Mode).  Gligor  and  Doncscu  proposed  the  XCBC  and  XECB  schemes  in  [43]. 
Rogaway  et  ai  [85]  introdiu’ed  an  optimized  version  of  lAPM  called  the  OCB 
mode  (Offset  CodcBook).  These  schemes  require  an  overhead  of  less  than  10% 
over  CBC  encry])tioii  and  offer  some  attractive  features;  for  example,  some  of 
them  ar('  fully  parallellizeable.  An  important  iion-t('chiiical  disadvantage  is  that 
all  these  schemes  are  encumbered  by  patents,  which  has  been  a  barrier  to  their 
adoption. 

As  a  consequence  of  this  ])ateiit  issue,  several  alternative  schemes  have  been 
introduced  that  are  slowed*  than  these  schemes,  but  that  are  free.  NIST  and  ISO 
have  standardized  a  combination  of  the  counter  mode  with  a  polynomial  based 
authentieation  (the  Galois  Counter  Mode  or  GCM  [09.75])  and  with  CBC-MAC 
(the  Counter  with  CBC-MAC  mode  [102,74]).  For  a  more  detailed  overview  of 
authenticated  eiiciyption  schemes,  see  the  overview  article  by  Black  [12]  and  the 
ECRYPT  11  report.  [32]. 

3  Public  Key  Algorithms 

In  netw'ork  security,  public  key  algorithms  are  only  used  for  the  establishment 
of  session  keys  and  for  the  mutual  authentication  of  the  parties.  The  main  rea¬ 
son  is  that  public  k('y  operations  arc  tw'o  or  three  orders  of  magnitude  slower 


Cryptography  for  Network  Security  15 

than  syiiniietric  key  primitives.  Moreovt'r.  the  block  k'ligths  and  overlu'ad  art* 
substantially  larger.  Public  key  algorilliiiis  need  to  be  integrated  into  a  protocol 
siicli  as  the  Station-to-Station  protocol  [29];  more  elaborate  variants  of  this  pro¬ 
tocol  have  b(’eii  standardized  for  SSb/TLS  (RFC  524G)  and  for  IPsc'c  (lKEv2  in 
Rl'^C  43()()).  The  details  of  tlu'st'  proto(‘ols  fall  ontsidt'  the  .scope  of  this  article'. 

3.1  RSA 

HSA.  invented  by  Hivest.  Shamir  and  Adleniaii  in  1978  [83]  is  by  far  the  most 
\vid(‘ly  used  public  ke'y  algorithm  (tlu'  RSA  pate'iit  has  (*xpir('d  in  2()()()).  Tlu' 
RSA  encryption  operation  is  written  as  C  =  mod  N  and  the  decryption  is 
(‘omputed  as  P  —  mod  N .  Mere  tlu*  (mcryption  and  decryption  exponent  are 
related  by  (  •  d  —  1  mod  lcni(/>  1,  r/  —  1),  with  =  p  •  q.  The  se(*nrity  of  RSA  is 
bas(*d  on  tlu*  fact  that  it  is  relatively  ea.sy  to  finel  two  large  prime  mmibe'rs  p  anel 
e/,  blit  lie)  efficie*nt  nie*the)els  are*  kiieiwn  te)  factor  their  preieliiet  N .  Ne)te  that  the* 
security  e)f  RSA  is  basexl  e)n  the  fact  that  e^xtraetiiig*  randeiin  eth  re)e)ts  inoebV 
is  hard.  This  pre)ble*ni  ceinlel  be*  e'asier  than  facte)ring  N  (it  e*annot  be*  liareleT); 
surprisingly,  whetlu'r  eir  not  it  is  easier  is  still  an  e)pe*n  preibleni. 

The  be'st  kiieiwn  algejrithm  te)  factejr  an  RSA  nu)ehihis  is  the  General  Ninn- 
ber  Fielel  Sie*ve  (GXFS).  Leaistra  anel  Vk^rheail  ha\e*  re*latexl  the  e*e)niplexit.y  e)f 
GNFS  te)  breaking  symniotrie*  keys  and  ceimpiiting  discrete  leigaritlnns  in  [03] 
(.se'e*  also  the*  ECRYPT  II  report  on  this  te)pic  [32]).  Flie  eniTemt  facte)ring  re*e-e)rel 
(achie'vexl  in  January  2010)  is  768  hits  [GO].  The*  reeximmeMidexl  miiiimimi  size 
for  an  RSA  nieidiihis  te)elav  is  1024  hits:  fae  toriiig  such  a  me^idiilns  re'qnires  ap- 
pre)xiinate*ly  2^^  steeps.  Shamir  and  Tronier  [90]  pre)pc)seel  in  2003  a  harelware* 
ele'sign  that  weiulel  nex'el  an  Ri:D  effeirt  e)f  USS20  M.  The*  harelware  cost  to  fae  - 
teir  a  512-bit  meuliihis  in  te'ii  niiiiut(*s  weiiilel  be  US$  10000:  a  7G8-bit  nie)diihis 
coiilel  be  facteirexl  with  a  similar  budget  in  95  days;  facteiring  a  1024-l)it  nie)ehihis 
in  I  year  wonlel  ree|iiire  a  harelware  investnie*nt  of  IJS$  10  M.  Ne)te  that  the*se* 
ex)st  e^stimatc's*  elo  ne)t  ine  lnde  the*  liiu'ar  algebra  ste*p.  The*se*  estimate's  show  tliat 
fe)r  le)ng-te*i  111  se*cnrity  (10-15  ye'ars),  an  RSA  meieliihis  of  2048  bits  or  iiieire  is 
re*ee)nmie'nele‘el. 

Textbe)e)k  RSA  has  e)the*r  we‘akne*sses  (see*  [18]  for  eletails).  Feir  example*.  RSA 
for  small  argniiKMits  is  ne)t  se*cnre:  —1,0  and  1  are*  alway's  fixe*el  points  anel  if 
P'  <  N  e*xtracting  a  nie)ehilar  rth  roeit  simplifies  to  extracting  a  natural  eth 
re)e)t.  which  is  an  easy  pre)blem.  hi  aelditioii,  RSA  is  multiplicative',  which  means 
that  the  pre)eliict  nioehV  e)f  twe)  ciphertexts  will  de'crypt  te)  the*  proeluct  e)f  the' 
e*e)rre.spe)neling  plainte'xts. 

The  stanelard  PKCS#lvl.5  specifie*s  a  paeleling  method  for  encryption  and 
signing  with  the  RSA  algeirithm.  For  encryption,  the  format  ce)nsists  e)f  the*  fe)l- 
le)wing  se'eiueiie-e:  a  byte*  equal  te)  00,  a  byte  e*e|ual  te)  02,  at  le'ast  8  non-ze*re) 
padding  byte's,  a  byte*  00,  anel  the  plaintext.  Note  that  the  RSA  as.snniptie)n 
.state's  that  e^xtraetiiig  random  modular  eth  roe)ts  is  harek  which  nu'ans  that  one 
shonlel  map  the  plaintc'xt  spae'e  in  a  iniife)rni  way  te)  the  inte'rval  [0,  n[;  it  is  e*le*ar 
that  PKCS^1\T.5  is  quite  far  from  this  goal.  This  has  been  exple)it('d  by  Ble*- 
ichenbacher  [15]  to  re*e‘e)ver  the  plainte'Xt  e*e)rre'sponeling  te)  a  sele*e*te'el  e*ipheTtext 


40 


F3.  Preiieel 


using  a  chosen  ciphertext  attack  (in  which  encryptions  of  different  but  related 
ciphertexts  are  ol)tairied);  more  specifically,  Bleichenbacher’s  attack  only  needs 
to  know  whether  the  plaintext  is  of  the  right  format  (it  is  based  on  the  error 
messages).  In  1993,  Bellare  and  Rogaway  published  the  OAEP  (Optimal  Asym¬ 
metric  Encryption)  transform,  together  with  a  security  proof  [7].  This  proof 
essentially  states  that  if  someone  can  decrypt  a  challenge  ciphertext  without 
knowing  the  secret  key.  he  can  extract  random  modular  cth  roots.  The  proof 
is  in  the  random  oracle  model,  which  means  that  the  hash  functions  used  in 
the  OAEP  construction  arc  a.ssunuxl  to  be  perfectly  random.  However,  seven 
years  later  Shoup  pointed  out  that  the  proof  was  wrong  [91];  the  error  has  been 
corrected  by  lAijisaki  et  al.  in  [12],  but  the  resulting  reduction  is  not  very  mean¬ 
ingful,  that  is.  the  coupling  between  the  two  problems  is  not  very  tight  in  this 
new  proof.  Moreover,  Manger  showed  that  a  careful  inii)lenientation  is  necessary, 
since  otluTwise  a  chosen  ciphertext  attack  b^ised  on  error  messages  may  still  ap¬ 
ply  [6C|.  Current Iv  the  cryptographic  coniniimity  believes  that  th(‘  best  way  of 
using  RSA  is  the  RSA-KEM  mode  [80|:  this  is  a  so-called  hybrid  mode  in  which 
RSA  is  only  used  to  transfer  a  session  key,  while  the  plaintext  is  encrypted  using 
a  symmetric  algorithm  with  this  key. 

For  RSA  PKCS#lvl.5  signature's,  no  practical  attack  is  known,  even  if  this 
padding  format  is  again  very  far  from  random.  Tlu'  RSA  signing  operation  is 
applied  to  the  following  sequence:  a  byte  ('qnal  to  00,  a  byte  equal  in  01,  a 
series  of  bytes  equal  to  FF.  a  byte  00,  and  the  ha.sh  value  (with  some  ASN.l 
prepended).  At  the  rump  session  of  Crypto  2006,  Bleichenbacher  showed  that 
many  implementations  of  RSA  signature  verifications  stop  at  the  end  of  the 
hash  value.  This  opens  the  possibility  to  append  a  large  random  string  S  (and 
shorten  tlu'  series  of  FF  bytes  accordingly).  It  is  very  easy  to  choose  S  such  that 
the  complete  string  is  a  perfect  (  ube,  and  extracting  cube  roots  over  the  integers 
is  easy.  This  iiK'aiis  that  one  can  forge  any  signature  for  c  =  3  without  knowing 
tlu'  private  k(w;  even  better,  this  forged  signature  works  for  any  modulus  N 
that  is  large  enough.  A  variant  of  the  attack  is  based  on  the  fact  that  some 
verification  software  ignores  the  content  of  the  ASN.l  string.  These  attacks  can 
be  prechuk'd  by  impkaiKMiting  a  correct  verification,  which  consists  of  checking 
that  the  hash  value  is  right  aligiKsl  or  alternatively  l)y  re- generating  the  whole 
l)lock  as  the  signer  does  and  checking  that  it  is  coiT('et.  The  problem  is  however 
that  as  a  sigiua*  may  not  be  able  to  influence  the  verification  software,  heiue  it 
is  better  to  incn'asi'  the  verification  exponent  to  2*^  4-  1.  Implenientations  that 
were  reportc'd  to  be  vulnerable  to  this  problem  im  hide  OpenSSL,  Mozilla  NSS, 
and  GiniTLS.  A  better  solution  is  to  use  RSA-PSS  [8|.  which  has  been  iiichid('d 
together  with  OAEP  in  PKCS#I  v2.1.  Even  if  the  scheme  dates  back  to  1996 
and  the  standard  to  2002,  so  far  implementors  seem  to  Ix'  reluctant  to  upgrade 
to  the  more  robust  algorithms. 

For  performance  reasons,  the  RSA  private  key  operations  (decryption  and 
signing)  an'  often  executed  using  the  Chinese  remainder  theorem.  This  means 
that  they  are  coni|)uted  mod/>  and  mod  q  and  that  both  results  arc  combined  to 
recover  the  result  mo(bV.  One  of  the  most  important  vulneralulities  of  RSA  in 


Cl vi)togra|)liy  for  Network  Sc'curily 


17 


pi  cK't  ico  is  the  obsc'rvatioii  by  Boiieh  cl  ai  [17]:  if  a  transient  fault  is  introduced  in 
I li(' (‘aleiilal ion  mod /;  or  mod/;  (but  not  both),  one  can  ri'covc'r /;  and  q.  Making 
an  impkanentation  rofinst  against  these  powerful  fault  attacks  is  non-t rivial. 

All  hnportant  lesson  that  can  be  drawn  from  this  is  that  it  is  siir])risingly 
diflienll  to  use  ItSA  eorreetly:  it  has  taken  tlu'  eryiilographic  community  more' 
than  20  years  to  learn  how  to  do  this.  The  mo.st  efficient  solutions  still  rtdy  on 
the  random  oraek'  inod('l.  and  it  is  an  ini])ortant  jirobk'ni  how  one  can  ii.se  HSA 
('ffieieiitly  without  this  assumption. 

3.2  Elliptic  Curve  Cryptography  (ECC) 

Elli])ti<-  curve  cry])togi'a])hy  (E(X^)  is  a  ])nl)lie-k(\\‘  priniitiNi'  that  is  iiK  reasinglv 
im|)ortant  as  altcMiiativi'  to  RSA.  TIk'  standards  (e.g..  [52.47])  .sn])i)ort  both 
(dliptic  curve's  ov('r  with  p  jirime  and  with  m  jirinie.  The'  first  curve's  ean 
take'  aelvaiitage*  freiiii  an  aritlinie'tic  e*oj)rocessor  feir  RSA  if  available',  while  the' 
latter  allow  feir  ve'iy  compact  haidware'  inijik'ine'iitatioiis. 

An  important  advantage  of  elliptic  curve's  are  the  shorte'r  key  k'ligths.  Ha.se'el 
on  the  Ix'st  known  algorithms  texlav,  one  can  (Estimate  that  IGO-bit  e'llijitie*  (iirves 
( orrespeiiiel  te)  12  18-bit  RSA,  and  224-bit  ellij^tic  curve's  e'orre'Sjiond  te)  2132-bit 
RSA  (se'e:'  the  ECRYR  I'  II  r('])ort  [32]).  For  tlu'se  bit -lengths,  signing  is  abeiiit  five' 
(re'sj).  20)  times  faste'r  with  ellijit  ic  cnr\'('s,  but  verifying  a  signature'  is  .se've'ii  (re'S]). 
five*)  time's  faster  with  RSA.  Meireover.  very  conij)ae*t  liarelware  iinplementatieins 
e)f  ECC  have*  be'e'ii  ek'vele^pe  el. 

ECO’  was  i^reipei.seel  in  1085:  feir  the  first  15  years  the  marke't  was  re'lne'tant 
te)  aeleipt  this  ne'w  anel  me)re  ceinij^k'x  iirimitive.  However,  in  the  past  live  ye'ars 
has  be'e'ii  se'k'ete'd  by  the'  governments  of  Austria,  Cermaiiy.  Swit/e'rlanel 
and  the'  ESA  and  are  gaining  me)re'  wiek’spreael  acce'j)taiie  e'.  The'  main  attrae  tiein 
lie's  ede*arly  in  the*  shorter  ke'v  lengths:  this  aelvantage*  eive'r  RSA  will  greiw  large'r 
e)ve'r  time'. 


4  Conclusions 

During  the'  j)ast  ele'e'aek*.  the'  Ak"S  has  be'ceinu'  the  ele  facte)  standarel  feir  e'lie  rypting 
ne'tweirk  elata.  1 IMAC-MD5  anel  HMAC-SHA-l  are  the*  me)st  ee)ninie)ii  alge)ritlinis 
nse'el  fe)r  me.ssage  anthentication.  We  see  a  graehial  e'vohitiein  teiwards  using  nie'edi- 
anisnis  fe)r  ant Iie'iit ie'ate*el  e)r  iinfea-ge'able  eneTy])tie)n.  whie  h  e-eimbiiie'  e'lieaypt ie)ii 
anel  elata  aiithent ie  ation  in  eine*  o])eration.  The).se'  iiiexU's  re'epiire*  a  re'ek'sign  e)f  the' 
prote)ce)l.  In  this  e-e)nte'xt.  HMAC  is  iiieTeasiiigly  r(']:)Iaee'el  by  (MK'-MAC  ba.se'd 
e)ii  AES  e)r  a  pe)Iyne)mial  hash  fmie'tion:  the  latte'i  is  substantially  faster  but  pe'r- 
haps  a  bit  k'ss  re)bn.st.  Wire'k'ss  netweirks  still  use  e)kk'r  bk)ek  eiphers  e)r  stre'am 
ciplie'rs:  .3G  iie'tweirks  e)ffer  elata  ant  bent  icatie^n  base*el  e)n  xMAC  alge)rithnis. 

Fe)r  public  ke'V  alge)rithms  the'  eve)lutie)n  has  been  nnie  h  slowe'r.  RSA  anel  Dilfie'- 
He'llmaii  ba.se'el  pre)toce)ls  eiver  f),  are*  ge'tting  more  anel  me)re*  e‘e)nipe'titie)n  fre)m 
\ICC\  ill  partie  nlar  for  k)w  fe)e)t print  e)r  k)w  power  envire)nme*iit.s.  The  re'lative'ly 
smalk'r  ke'vs  fe)r  ECC^  is  a  ke'V  fae’te)r  in  this  elevelojime'nt . 


48 


B.  Preiieel 


Side  cliauiiel  attacks  have  become  an  important  area  of  rcsearcli:  tlicy  cur¬ 
rently  strongly  inflneiK'c  hardware  and  software  implementations,  but  at  the 
eost  of  a  (leereased  perfonnanee.  One  eaii  expect  that  in  the  future  soiiu^  algo¬ 
rithms  will  be  re-designed  from  scratch  so  that  implementing  these  algorithms 
ill  a  seenre  way  is  easier. 

In  addition  to  new  attacks,  new  security  jiroofs  and  models  have  In'en  devel¬ 
oped,  that  inerease  onr  understanding  in  areas  sneh  as  modes  for  eonfideiitiality 
and  authentieated  encryption  and  padding  methods  for  RSA  and  ECC. 

In  both  cases  (new  attacks  and  new  models  and  designs),  there  is  a  need  for 
efficient  and  seenre  procedures  to  upgrade  and  retire  cryptographic  algorithms. 
However,  even  if  we  live'  in  a  world  in  which  the  environinent  can  change  in  days 
or  months,  replacing  a  cryptographic  algorithm  still  takes  many  years.  System 
designers  need  to  build  systems  that  are  agnostic  to  the  cryptographic  algorithm 
and  that  allow  for  fast  and  seenre  key  length  and  algorithm  njigrades. 


Acknowledgements.  This  work  was  partially  funded  by  the  European  Commis¬ 
sion  through  the  1ST  Programme  under  Contract  ICT-2007-2 16676  ECRYPT  II 
and  by  the  Belgian  Government  through  the  lUAP  Programme  nnd(T  contract 
P6/26  BCRYPT. 

References 

1.  ANSI  X9.19,  Financial  Institiitioii  Retail  Me.s.sage  Authontk ation,  American 
Bankers  Association  (August  13,  1986) 

2.  ANSI  X9.52,  Triple  Data  Encryption  Algorithm  Modes  of  Oj)eration.  American 
Bankers  Association  (1998) 

3.  Barkan,  E..  Bihani,  E.,  Keller,  N.:  Instant  ciphertext-only  cryptanalysis  of  GSM 
encrypted  communication.  In:  Boneh,  D.  (ed.)  CRYPTO  2003.  LNCS,  vol.  2729. 
])p.  GOO  GIG.  Springer,  Heidelberg  (2003) 

4.  Bellare.  M.:  New  proofs  for  NMAC  and  IIMAC:  Security  without  collision  resis¬ 
tance.  In:  Dwork,  C.  (ed.)  CRYPTO  2006.  LNCS,  vol.  4117.  pp.  602  619.  Springer. 
Heidelberg  (2006) 

5.  Bellare,  M.,  Canetti,  R.,  Krawczyk,  H.:  Keying  hash  functions  for  mes.sage  au¬ 
thentication.  In:  Koblitz.  N.  (ed.)  CRYPTO  1996.  LNCS,  vol.  1109.  pj).  1  15. 
Springer,  Heidelberg  (1996) 

6.  Bellare.  M..  Nami)rempre,  C.:  Authenticated  encryption:  Relations  among  no¬ 
tions  and  analysis  of  the  generic  composition  paradigm.  In:  Okarnoto,  T.  (ed.) 
ASIACRYPT  2000.  LNCS,  vol.  1976,  pp.  531  515.  Springer,  Heidelberg  (2000) 

7.  Bellare,  xM.,  Rogaway,  P.:  Random  oracles  are  i)ractical:  A  paradigm  for  designing 
effu  ient  protocols.  In:  Procf^edings  ACM  Conference  on  Comi)nter  and  Commn- 
iiiiations  Security,  pp.  62  73.  ACM  Pn^ss.  Ncnv  York  (1993) 

8.  Bellare,  M.,  Rogaway,  P.:  The  exact  .security  of  digital  signatures  How  to 
sign  with  RSA  and  Rabin.  In:  Maurer,  U.M.  (ed.)  EUROCRYPT  1996.  LNCS, 
vol.  1070,  pp.  399  416.  Springer,  Heidelberg  (1996) 

9.  Bern.st(‘in,  D.J.:  The  Poly  1 305- AES  message-authentication  code,  lii:  Gilbert.  H., 
Handschuh,  11.  (eds.)  FSE  2005.  LNCS,  vol.  3557,  pp.  32-49.  Springer.  Heidelberg 
(2005) 


Cryptography  for  Network  Security 


H) 


10.  B<'nisteiii.  DJ.:  Cache-! lining  attacks  on  AES  (2005)  (preprint), 
http: //cr.yp. to/papers. html#cachetiming 

II  Biryukov',  A.,  Kliovratovich.  D.;  Belated-key  cryptanalysis  of  the  full  AES-102 
aiui  AES-25G.  In:  Matsiii,  M.  (ed.)  ASIACRYPT  2009.  LNCS,  vol.  5912,  jrp.  1 
18.  Siiringer,  Heidelberg  (2009) 

12.  Black,  ,).:  Antlienticated  encryirtion.  In:  van  Tilhorg.  H.  (e<l.)  Encyclopedia  of 
C^ryptogTaphy  and  Sc'ciiritv,  pp.  11  21.  Springer,  Heidelberg  (2005) 

bk  Black,  ,1..  Hah'vi.  S.,  Krawczyk,  II.,  Krovetz,  T.,  Rogaway,  P.:  PM  AC:  Fast  and 
secuK'  niessag<'  authentication.  In:  WieiK'r,  M..I.  (cd.)  CRYPTO  199!).  bNCS. 
vol.  16GG,  Pi).  21G  233  Springer,  Heidellrerg  (1999) 

11.  Black,  ,1.,  Rogaway,  P.:  CBC-MACs  for  arbitrary  length  massages.  In:  Bellao',  M. 
(ed.)  ('RYPTO  2000.  LNCS,  vol.  1880.  pp.  197  215.  Springer,  Heidelberg  (2000) 

15.  Bleiclienbacher.  D.:  Cho.sen  ciphertext  attacks  against  jrrotocols  based  on  the  RSA 
(Micrvi)tion  standard  PK('S  #1.  In:  Krawczyk,  II.  (ed.)  CR5'P1'0  I9!)8.  LN(\S, 
v'ol.  MG2,  ])!).  I  12.  Springer,  Heidelberg  (1998) 

IG.  Bleiclienbacher.  D.:  Forging  sonu'  RSA  signatures  with  pencil  and  i>aper.  Pre- 
.s('nt('d  at  the  Riinij)  .Session  of  Crypto  200G  (200G) 

17.  Boneh,  I).,  DeMillo.  R.,  Lipton,  R.:  On  the  imjiortance  of  (  hecking  erv])lographic 
protocols  for  faults,  fn:  Finny,  \V.  (ed.)  hTMtOCHY'PT  1997.  LNC.'S,  vol.  1233,  i)|). 
.37  51.  Si)ringer.  Heidelberg  (1997) 

18.  Hoiu’h,  I)..  .lonx.  A.,  Ngnyi'ii.  P.Q.:  Why  ti'xtbook  IdGanial  and  RSA  encryption 
are  insecure.  In:  Okainoto,  T.  (ed.)  ASIACRYPT  2000  LNCS,  vol.  197(),  |)i). 
30  -13.  Springer,  Heidelberg  (2000) 

19.  Bos.s<9aers,  A.,  Dobbertin,  II.,  Preneel,  B.:  The  RIPEMD-IGO  cryptographic  hash 
function.  Dr.  Dobb’s  .lonrnal  22(1),  21  28  (1997) 

2t).  C’anvt'I.  B.,  Hiltgi'ii.  A.P.,  Vandenay,  S.,  Vnagnonx,  M.:  Password  interception  in 
a  SSL/TLS  Channel.  In:  Boneh,  I),  (ed.)  CRYP  IT)  2003  LNCS,  vol.  2729,  pp. 
583  599.  Springer,  Heidellxag  (2003) 

21  Contiiii.  .S..  Lin.  Y.L.;  Forgery  and  i)artial  key  recovery  attaeks  on  HMA(’  and 
NMAC  using  hash  collisions.  In;  Lai,  X.,  Chen,  K,  (eds.)  ASIACRYPT  200(). 
LNCS.  vol.  1281.  pp.  37  53.  Springer.  Heidelberg  (2()0()) 

22.  Coron.  ,I.-S.,  Dodis,  Y..  Malinaud,  C’.,  Pniiiya.  P.:  Merkle-Danigard  revisited:  how 
to  construct  a  hash  fimctioii.  In:  Shonp,  V.  ((xi.)  CRYPTO  2005.  LNCS,  vol.  3G21. 
pp.  43t)  448.  Springer,  Ih'idc'lIxTg  (2005) 

23  ( 5)111  tois,  N.,  Meier,  W.:  Algebraic  attacks  on  stream  ciplu'rs  with  liiu'ar  fei'dbac'k. 
In:  Bihani.  E.  (<M.)  EURO(7RY’PT  2003.  LNCS,  vol.  2()5G.  pp.  ,315  359.  Springer. 
Heidelberg  (2003) 

21.  Daemen,  J.,  Rijmen,  V.:  TIk'  Design  of  Rijiidac'l.  In:  AlCS  The  Advanec'd  Eii- 
civption  Standard.  Springer,  lleidellxag  (2001) 

25.  Degabriele,  ,J.P..  Patt'rsoii,  K.C.:  Attacking  the  IPsec  standards  in  (Mieiyption 
only  conligurations.  In:  lEIiE  Symposium  on  Security  and  Fhivacy,  pp.  3,35  34!). 
IEEE,  Los  Alaniitos  (2007) 

2G.  <Ien  Boit,  H.,  Bosselaers,  A.:  Collisions  for  the  compre,s.sion  function  of  Ml)5.  In: 
Helleseth,  T.  (ed.)  EUROCRYPT  1993.  LNCS.  vol.  7G5.  pp.  293  301.  Springiu'. 
Heidelberg  (1991) 

27.  Dierks,  T..  Rescorla,  E.:  Tlu'  Transport  Laver  Security  (TLS)  Protocol  VVrsion 
1.2.  RFC  5240  (August  2008) 

28.  Dilfie,  W..  Landau,  S.:  Privacy  on  the  Line.  The  Policy  of  Wiretaj)pnig  and  En¬ 
cryption,  2nd  edn.  MIT  Press,  Canibridg('  (2007) 

29.  Dillic',  W.,  van  Ooiscliot,  P.C\,  Wieix'r.  M.J.:  Authentication  and  anthent icated 
key  ('xchanges.  Designs,  Codes,  and  Crypt ogra])hy  2(2),  107  125  (1992) 


50 


B.  Prciicel 


30.  Dobbertiii.  M.:  The  status  of  MDf)  after  a  r('e('iit  attack.  Crypt oBytes  2(2).  I  6 
(Suiiiiiier  1906) 

31.  Dnnkelinan,  ().,  Keller,  N.,  Shamir,  A.:  A  practical-time  attack  on  the  KASUMI 
cryptosystem  used  in  GSM  and  3C  telephony.  In:  Rabin,  T.  (ed.)  Advances  in 
Cryptology,  Procc'edings  Crypto  2010.  LNCS.  Springer,  Heidelberg  (2010)  (in 
print) 

32.  EU  Network  of  Excellence  PX3tYPT  11,  Yearly  Report  on  Algorithms  and  Keysizes 
(2009-2010),  http: //www. e crypt , eu.org 

33.  Ekdahl,  P.,  Johansson,  T.:  A  new  version  of  the  stream  cipher  SNOW.  In:  Nyberg, 
K.,  Hoys.  H.M.  (eds.)  SAC  2002.  LNCS,  vol.  2595,  pp.  47  61.  Springer.  Heidelberg 
(2003) 

34.  Electronic  Frontier  Foundation,  Cracking  DES,  Secrets  of  Encryption  Research, 
Wiretap  Politics*  Chip  Design.  O’Reilly  ^  Associates,  Sebastopol  (1998),  Source 
code  of  the  implementation  described  in  the  book  can  be  downloaded  from 
https : / / WWW . cosic . esat . kuleuven . ac . be/ des/ 

35.  P]U  Directive  1999/93/EC.  Community  framework  for  electronic  signatures  (D(v 
cember  13,  1999) 

36.  FIPS  180,  Secure  Hash  Standard,  Federal  Information  Processing  Standard 
(FIPS).  Publication  180,  NIST,  U.S.  Dept,  of  Commerce  (May  11,  1993) 

37.  FIPS  180-1,  Secure  Hash  Standard,  Federal  Information  Processing  Standard 
(P'lPS).  Publication  180-1,  NIST,  U.S.  Dept,  of  Commerce  (April  17,  1995) 

38.  FIPS  180-2,  Secure  Hash  Standard,  Federal  Information  Procc'ssing  Standard 
(FIPS).  Publication  180-2.  NIST  U.S.  Dept,  of  C^ommerce  (August  26,  2002) 
(Change  notice  1  published  on  December  1.  2003) 

39.  FIPS  197,  Advanced  Encryption  Standard,  Federal  Information  Pioce.ssing  Stan¬ 
dard,  NIS4\  U..S.  Dept,  of  Comnierce  (November  26,  2001) 

40.  Fluhrer.  S.,  Mantin,  I..  Shamir.  A.:  Weaknesses  in  the  key  .sein'd uling  algorithm 
of  RC4.  In:  Waiidenay,  S.,  Yons.sef,  A.M.  (eds.)  SAC  2001.  LNCS.  vol.  2259,  pp. 
1  24.  Springer,  Heidelberg  (2001) 

41.  Fonqne,  P.-A.,  Leurent,  G..  Nguyen,  P.Q.:  Full  key-recov<'ry  attacks  on 
HMAC/NMAC-M1)4  and  NMAC-MI)5.  In:  Menezes,  A.  (ed.)  CRYPTO  2007. 
LNCS.  vol.  4622.  pp.  13  30.  Springer.  Heidelberg  (2007) 

42.  Fujisaki,  E.,  Okanioto,  T.,  IMintcIu'val,  I).,  Stern,  J.:  RSA-OAEP  is  .secure  under 
the  RSA  cussmnption.  In:  Kilian,  J.  (ed.)  CRYPTO  2001.  LNCS,  vol.  2139,  pp. 
260  274.  Springer.  Heid('lb('rg  (2001) 

43.  Gligor,  VM).,  Donescii,  P.:  Fast  encryption  and  authentication:  XCB(’  encryption 
and  XECH  authentication  modes.  In:  Matsni,  M.  (ed.)  FSE  2001.  LNCS,  vol.  2.3.55, 
pp.  92  108.  Springer,  Heidelberg  (2002) 

44.  Gneron.  S.:  Intel’s  new  AES  instructions  for  ('uhanced  performance  and  secu¬ 
rity.  In:  Diinkelman,  O.  (ed.)  FSE  2009.  LNCS,  vol.  5665,  pp.  51  66.  Springer. 
Heidelberg  (2009) 

45.  Hand.schuh- 11.,  Prem'el,  B.:  Key-recovery  attacks  on  nniv'ersal  hash  function  boused 
MAC  algorithms.  In:  Wagner,  D.  (ed.)  CRYPTO  2008.  LNCS,  vol.  5157,  pp.  144 
161.  Springer,  Heidelberg  (2008) 

46.  Hong,  J..  Sarkar,  P.:  New  applications  of  time  memory  data  tradeoffs.  In:  Roy, 
B.K.  (ed.)  ASIACRYPT  2005.  LNCS,  vol.  3788,  pp.  353  372.  S[)ringer.  Heidelberg 
(2005) 

47.  IEEE  P1363,  Standard  Specifications  for  Public  Key  Cryptography  (2000) 

48.  Indcst('cge.  S..  Mendel.  F..  Preneel,  B.,  Rechberger,  C.:  Collisions  and  other  non- 
random  prop<'rti('s  for  step-n'dncc'd  SHA-256.  In:  Avanzi,  R.M.,  Keliher,  L.,  Sica, 
F.  (('ds.)  SAC  2008.  LNCS,  vol.  5381,  pp.  276  293.  Springer.  Heidelberg  (2009) 


Cryptography  for  Network  Sc’cnrity 


51 


19  ISO/IKC’  7816,  Information  toduiology  Identification  cards  Integrated  cii- 
ciiit(s)  cards  with  contacts  Part  I:  Interindustry  commands  for  interchange 
(1997) 

50.  ISO/IhX’  9797.  Information  technology^  Security  techniques  Message  Authen¬ 
tication  (\)des  (MACs).  Part  1:  M(*clianisins  using  a  block  cipher.  1999.  Part  2: 
Mechanisms  using  a  hash-fmu  tion  (2002) 

51  1S()/IKC  10118,  Information  technologv  Seenritv  t(Mhni(iues  Ibish-fimet ions. 
Part  1:  General  (2000),  Part  2:  I la.sh- functions  using  an  n-bit  block  cipher  al- 
gorithni  (2000),  Part  3:  Dedicated  hfish-fnnctions  (2000.  P‘^rt  3:  IIa.sh-fnnctions 
using  iiKxhilar  arithmetic  (1998) 

52.  ISO/lhX^  14S88-3,  Information  technology  Security  techni(pi(‘s  Digital  signa¬ 
ture's  with  api)endix.  Part  3:  (Vrtifi cate- based  meehanisms  (200()) 

53.  Iwata,  T.,  Kurosawa,  K.:  OMAC:  One  key  (310  MAC.  In:  Johansson,  T.  (ed.) 
PSE  2003.  bNCS,  vol.  2887,  pp.  129  153.  Springer,  H(Mdell>erg  (2003) 

51.  ,)onx.  A.:  Mnlticollisions  in  ite'rated  hash  functions.  Application  to  cascade'd  con¬ 
structions.  In:  Franklin,  M.K.  (ed.)  CUYPI'O  2004.  LN'CS,  vol.  3152.  pp.  306  3 Hi. 
Sj^ringer,  Heidelberg  (2004) 

55.  Kasper,  E.,  Schwabe.  P.:  Fa.ster  and  timing-attack  resistant  AES-GCM.  In: 
C'lavier,  C..  Chij,  K.  (eds.)  (31ES  2009.  LNCS.  vol.  5747.  pp.  I  17.  S|)ringer, 
IhMdelberg  (2009) 

5().  Katz.  .1.,  Yung.  M.:  I  nforgeable  encryption  and  clu)seii  ciphertext  se'cnre  mode's 
e)f  e)pe'ratie)ii.  In:  Schneier,  B.  (exl.)  FSE  2000.  LNCS,  vol.  1978.  pp.  284  299. 
Springe'r,  Ileidelbe'rg  (2001) 

57.  Kaufman,  C.:  Internet  Key  Exchange  (lKEv2)  Protoe-ol,  RFC’  4306  (De'ee'inbe'r 
2005) 

58.  Kelse'y,  Schneier,  B..  \Vagne*r,  D.:  Ke\y-schednle  eryptoanaly.sis  e)f  IDEA,  G- 
DES,  GOS35  SAFER,  and  tripIe'-DES.  In:  Ke)I)litz.  N.  (ed.)  C^RYPTO  1996. 
LNC’S.  ve)I.  1109.  pp  237  251.  Springer,  He’idelberg  (199()) 

59.  Kim,  J.,  Biryukov,  A  ,  Preiieel,  B.,  IIe)ng,  S.:  Gn  the' see  nrity  of  IIM AC^  anel  NMA(’ 
base'el  em  HAVAL,  Ml)4.  MD5.  SIIA-0  and  SIIA-1  .seenritv  in  commnnie*ation 
iie’twe>rks.  In:  I)e'  Prisex),  R.,  55ing,  M.  (eds.)  S('N  200().  LNC’S,  ve)l.  1116,  i:>j) 
2  12  25().  Springer,  Heielelberg  (2006) 

()0.  Kleinjniig,  T.,  Ae)ki,  K.,  hVanke,  J..  Lenstra,  A.K.,  1  home\  E.,  Bos.  J.W.,  Gaiielry, 
P.,  Krnpi)a.  A..  iMe)iitge)merv,  P.L.,  Osvik,  D.A..  te  Riele,  IF.  Timofeev,  A.,  Zim¬ 
merman.  P.:  Factori/atmn  of  a  7()8-bit  RSA  niexlnlns,  Aelvaiices  in  CY\'pte)k)gy. 
In:  Rabin,  T.  (e'el.)  Aelvanees  in  Crvi)te)le)gy.  Proe'e'eMlings  CYypto  2010.  LNCS. 
Sj)ringer.  Heidelberg  (2010) 

61.  Lambe'iger,  M.,  .Meiielel,  F.,  Rea'Iiberger,  C.  Rijme'ii.  V'.,  Sehlaller,  M.:  Re'bonnd 
eli.stingnisliers:  re^siilts  on  the*  full  Whirlpool  compre\ssion  fmictiem.  In:  Matsni. 
M.  (eel.)  ASIAC'RYPT  2009.  LNC'S,  ve)l.  5912.  pp.  126  143.  Springer.  1  leieledbe'rg 
(2009) 

()2.  Lano,  J.:  (  jyi)tanalysis  anel  De'sign  of  Syne  hn)ne)ns  Stream  Ciphers,  PhD  The*sis, 
C’OSIC’,  K.U. Leuven  (June  200()) 

63.  Le'iistra,  A.K.,  VYrhenl.  E.R.;  Seleetiiig  eryptographie*  key  size’s.  ,J.  Ch*v[)tol- 
e)gy  14(4),  255  293  (2001) 

61.  Leairent,  G.:  MD4  is  not  one*-way.  In:  Nvberg,  K.  (ed.)  FSE  2008.  LNC^S.  \ol.  5086. 
pp.  1 12  428.  Si)ringer.  Heieh'lberg  (2008) 

65.  Lu.  Y..  Meder,  W..  Yandenay,  S.:  The  e'e)nelit  ional  correlation  attae'k:  A  prae  ti- 
cal  attack  on  Bluet ootli  ene  ryption.  In:  Shonp.  V.  (e*el.)  CRYP  FO  2005.  LNCS, 
ve)l.  3621,  [)p,  97  117.  S[)ringer,  Heidelberg  (2005) 


52 


B.  Brencpl 


G6.  Manger,  J.:  A  clioson  ciphertext  attack  on  RSA  optimal  asyininetnc  encryption 
padding  (OAEP)  as  standardized  in  PKCS#1  v2.0.  In:  Kiliaii,  J.  (ed.)  CRYPTO 
2001.  LNCS,  vol.  2139,  pp.  230  238.  Springer,  Heidelberg  (2001) 

67.  Manuel,  S.,  Peyrin.  T.:  Collisions  on  SIIA-0  in  one  hour.  In:  Nyberg.  K.  (('<!.)  FSl^ 
2008.  LNCS,  vol.  5086,  pp.  16  35.  Springer,  Heidelberg  (2008) 

68.  Matyas,  S.M.:  Key  Processing  with  Control  Vectors.  J.  Cryptology  3(2).  113  136 
(1991) 

69.  McGrevv,  D..  \dega,  .1.:  The  security  and  |)erformaiice  of  the  Calois/Coiniter  Mode 
(GCM)  of  operation.  In:  Canteant,  A..  V^isvvanathan,  K.  (eds.)  INDOCRYPT 
2004.  LNCS,  vol.  3348,  i^p.  343  355.  Springer,  Heidelberg  (2004),  Full  paper 
http : //eprint . iacr . org/2004/193/ 

70.  Meier,  W.,  StafTelhach,  O.:  Fast  correlation  attacks  on  stream  ciplu'rs.  J.  (^ryp- 
tology  1(3).  159  176  (1989) 

71.  Menezes,  A..L,  van  Oorschot,  P.C.,  V^anstone,  S.A.:  Handbook  of  Applied  Cryp¬ 
tography.  CRC  Press,  Boca  Raton  (1997) 

72.  NIST  Special  Publication  800-67,  Recommendation  for  the  dViple  Data  Fneryp- 
tion  Algoritinn  (TDEA)  Block  Cipher  (May  2004) 

73.  NIST  Special  Publication  800-38B,  Recommendation  for  Block  Ciplu'i*  Modes  of 
Operation:  The  CM  AC  Mode  for  Authentication  (May  2005) 

71.  NIST  Special  Publication  800-38C,  Recommendation  for  Block  Cii)h(n-  Modes  of 
Op(n*ation:  The  CCM  Mode  for  Authentication  and  Confidentiality  (May  2004) 

75.  NIST  Special  Piiblicatk)ii  800-381),  Recommendation  for  Block  Ci])her  Modes  of 
Op(Tatioii:  Galois/CMiinter  Mode  (GCM)  and  GMAC  (Nov<‘inl>cr  2007) 

76.  O.svik.  D.,  Shamir.  A.,  Tromer,  E.:  Cache  attacks  and  connterniea.sur(‘s:  The 
ciuse  of  AES.  In:  Pointcheval,  D.  (ed.)  CT-RSA  2006.  LNCS,  vol.  3860,  pp.  1 
20.  Springer.  Heidelberg  (2006),  Extended  v^ersion  at, 

WWW. wisdom. we izmann. ac . il/^tromer/papers/cache . pdf 

77.  Paul.  S.,  Preneel,  B.:  Analysis  of  non-fortuitoiis  predictive  states  of  tiu'  RCM  key 
stream  Generator.  In:  Johansson,  T.,  Maitra,  S.  (eds.)  INDOCRYPT  2003.  LNCS. 
vol.  2904,  pp.  30  47.  Springer.  Heidelberg  (2003) 

78.  Petrank,  E.,  Backoff,  C.:  CBC  MAC  for  real-time  data  soiiree.s.  J.  Oyptol- 
ogy  13(3).  315  338  (2000) 

79.  Prenecd,  B.:  The  first  30  years  of  cryptographic  ha.sh  functions  and  the  NIST 
SHA-3  eompedition.  In:  Pieprzyk,  J.  (('(I.)  CT-RSA  2010.  LNCS.  vol.  5985,  pp. 
I  14.  .SpringcT,  fhndelberg  (2010) 

80.  Prened.  B.,  Biryukov,  A.,  De  Canniere,  C..  Ors.  S.B.,  O.swald.  PL.  Van  Roinpay. 
B..  Ciranbonlaii.  L.,  Dottax,  E..  Martinet,  G.,  Murphy.  S..  Dent,  A..  Ships(*y,  R.. 
Swart,  C.,  White,  J.,  DichtI,  M.,  Pyka,  S.,  Schaflientle.  M.,  Serf,  P.,  Biham,  E., 
Barkan.  E.,  Brazik'r,  Y.,  Diinkelman.  O.,  iMirman,  VL.  Kenigsberg.  D.,  Stolin. 
,1..  Qnis(piater.  J.-J.,  Ciet,  M.,  Sica.  F.,  Raddnni,  IL,  Knndsen.  L..  Parker,  M.: 
PTnal  n'port  of  NESSllk  New  European  S<  henu's  for  Signatures,  Integrity,  an<I 
Encryption.  LNCS.  Springtr.  Heidelberg  (in  print) 

81.  PreiKM'I,  B..  van  Oor.schot.  P.C.:  MDx-MAC  and  building  fast  MACs  from  hash 
functions.  In:  Coppersmith.  D.  (ed.)  CRYPTO  1995.  LNCS.  vol.  963,  pp.  I  14. 
Springer.  Heidelberg  (1995) 

82.  Rivest.  R.L.:  The  MD5  niessag(»-(Iigest  algorithm.  RPT’  1321  (April  1992) 

83.  Rivest.  R  L.,  Shamir,  A..  Adlcman.  L.:  A  method  for  obtaining  digital  signatures 
and  pnblie-key  cryptosystems.  Connnunieations  ACM  21(2),  120  126  (1978) 

81.  Robshaw,  M.,I.B.,  Billet.  O.  (eds.):  New  Stream  Cipher  Designs.  LNCS.  vol.  4986. 
Springer,  Heidelberg  (2008) 


( ’ryptography  for  Network  Sc'enrity 


(So.  Ucj^avvay,  P.,  f3('llare.  M.,  iilack,  Krovetz.  T.:  OC'B:  A  hloek-eiplier  iiKHh'of op¬ 
era!  ion  for  elhei(‘nt  aiil li(Miticate<l  encryption.  In:  A(\M  C()iifev('nee  on  Coinpiitca 
and  (’oiinnnnieations  Security,  pp.  If)")  205.  ACM  I^re.ss,  New  York  (2001) 

(S().  Ro^away,  P..  Slirinipton,  T.:  Cryi)tographie  lia^sli  fnnetion  h^tsies:  n('finit ions, 
implications,  and  separations  for  pr(‘iinage  K'sislance,  sc'cond-preimapje  re.sis- 
tanee.  and  ('ollision  rc'sistarn  (*.  In:  Roy.  B.K.,  Meier,  \\  .  ((’ds.)  I'SE  2001.  LNC^S. 
vol.  .i0I7,  pp.  ,'^71  'kSS.  Springer,  lleidelherg  (2004) 

S7.  Rn('j^p('l,  R.A.:  Analyses  and  Design  of  Stream  (’ipliers.  Springer,  lleidellxag 

(lost)) 

SS.  Sanadliya.  S.K..  Sarkar,  P.:  New  collision  attacks  against  np  to  24-st(*p  SllA-2. 
In:  Roy  (Miowdlmry.  L).,  Rijmem  V..  Das,  A.  ((^Is.)  INDCX’RYPr  2()()S.  LN(\S. 
vol.  55()5,  pp.  f)l  l(),'k  Spring(T,  Heich'lherg  (2008) 

8f).  Sa.saki,  Y.,  Aoki,  K.:  Finding  preimagi's  in  full  MD5  fast<'r  tlian  (’xliairstive  si’areh. 
In:  .Jonx,  A.  ((m1.)  I^UROCin'PT  2000.  LNC’S.  vol.  5470.  pp.  1,41  152.  Springc'r. 

I l('id('II)(‘rg  (2010) 

f)0.  Shamir.  A.,  Tromer.  Fv:  Factoring  large  iMnnI)ers  with  the  4A\‘IRP  d(‘vice.  hi: 
rh)neh.  [4.  (<‘d.)  C’R4  P4  ()  200,4.  PNCS,  vol.  272f),  i)p.  1  2().  ,S|)ringer.  Heidelberg 
(2004) 

f)I.  Shonp,  \'.:  OAICP  reconsid<*re<I.  In:  Kilian,  ,1.  (ed.)  (’FtYPTO  2001.  F^NC'S, 
vol.  214f),  pp.  24f)  25f).  SpriiigcT.  Heidelberg  (2001) 
f)2.  .Simmons.  Cl..].  (<’d.):  Contemporary  C^ryptologv  :  I’ln*  .Sci('nc('  of  Information  In¬ 
tegrity.  IFdMC  Press.  Los  Alamitos  (lOf)l) 

f)4.  Sotirov.  A..  St(‘vens.  M..  Appelbanm.  ,].,  Least  ra,  A.K..  Moliiar,  1)..  Osvik.  D.A.. 
de  WVgiT.  IL:  Short  eho.s('n- prefix  collisions  for  MD5  and  the  creation  of  a  rogn(‘ 
('A  certificate'.  In:  Halevi,  S.  ((*d.)  C^RYPTO  2001).  LNC’S.  vol.  5()77.  pj).  55  (>0. 
Springe'!',  1  h'idelbe'rg  (2001)) 

1)1  Lsimoe).  Saite>,  T.,  Snzaki.  7.,  Shige'ri,  M.,  Miyaiiehi.  IL.  Cryptanalysis  e>f 
DFjS  implemente'el  e)n  computers  with  cache*.  In:  W'alte'r.  (M)..  Koe;.  Cdx..  F^lar. 
(\  (e'els.)  (’IIFS  2004.  LNC’S,  \ol.  2771),  pp.  02  7().  Si)ringer.  He*iele'lbe*rg  (200,4) 
1)5.  van  Oe)rsehe)t,  P.C\,  W'ie'iier.  M..1.:  A  kne)vvn  plaint(*xt  attack  e)n  two-ke*y  triple* 
eiieiypi ie)n.  In:  Damgarel.  LB.  (eel.)  EUROC7^\'Pr  191)0.  LiNC‘S,  ve)l.  474.  pp. 
.41 S  .425.  Spri!ige*r,  Heiele*lb('rg  (1991) 

IH).  van  ()e>r.sche)t .  P.C\.  \\'ie*ne'r,  M.:  Paralle*!  ee)llision  se*areh  with  cryptanalyt ie*  ap- 
plicatie)ns.  ,1.  CYyj^teilogy  12(1),  1  28  (1999) 

1)7.  Wang,  X.,  Fan.  \'.L..  \’n,  11.:  Finding  collisie^ns  in  the*  full  SFIA-I.  In:  Shonp,  \L 
(e*eL)  (’RYF^TO  2005.  LNCS.  vol.  4621.  j)p.  17  .4f).  Springer.  I leiele'lbe'rg  (2005) 
98.  Wang,  X.,  \n,  IL:  How  to  bre'ak  MF)5  anel  ejtlier  hash  fnne'tie)ns.  In;  CrameT. 
R.  (e'el.)  EFROCRYI^r  2005.  LNC’S,  ve)l.  ,4194,  i^j).  19  45.  Springer,  lleidelbe'rg 
(2005) 

91).  Wang.  X..  \5i,  IL,  Wang,  WL.  Zhang.  IL.  Zhaii.  7\:  Cryptanalysis  e>n 
IIMA(7NMA(’MD5  anel  MD5-MAC5  In:  ,)onx.  A.  (e‘eL)  EFROCRYP1’  2009. 
LNC’S,  ve)l.  5479,  pi>.  121  L4.4.  Si)ringer.  lleidelbe'rg  (20I0) 

100.  Watanabe.  I)..  Fnruya.  ,S..  \5)slhela.  H..4akaragi,  K..  Prene*e'I.  B.:  A  ne*w  keystre*ani 
ge'nerate)r  MFCI.  In;  Dae'ineii.  .).,  Rijme'n.  V.  (e'els.)  FSE  2002.  LNCS,  ve)l.  2,4()5. 
pp.  I79  19I.  Springer,  IIeiele‘lbe*rg  (2002) 

101.  Wegman,  M.N.,  C5irt<‘r.  ,Ll^.:  New  ha.sh  fnnction.s  and  the'ir  use'  in  ant he*nt ieat ie)n 
anel  set  expialitv-  .le)m'tial  e)f  (5)nipnter  and  Syste'in  Se  ie*iiee'.s  22(4),  205  279  (1 98 1) 


54 


B.  Preiieol 


102.  Whiting,  D.,  Ilousley.  R.,  Ferguson,  N.:  Counter  witii  CBC-MAC  (CCM),  RFC 
3010  (Septeinhor  2003) 

103.  Wiener,  M.J.:  Eflicient  DBS  key  search.  Presented  at  the  Rump  Session  of  Crypto 
1993  (1993);  Stallings,  W.  (ed.):  Reprinted  in  Practical  Cryptography  for  Data 
Internetworks,  pp.  31  79.  IEEE  Computer  Society,  Los  Alaniitos  (1990) 

104.  Yu,  H.,  Wang,  G.,  Zhang,  G.,  Wang,  X.:  The  Sccond-Prcimage  Attack  on  MD4. 
In:  De.sniedt.  Y.(L,  Wang,  H.,  Mu,  Y.,  Li,  Y.  (eds.)  CANS  2005.  LNCS,  vol.  3810, 
pj).  I  12.  Springer,  Heidelberg  (2005) 


Group-Centric  Models  for 
Secure  and  Agile  Information  Sharing 


Ravi  Sandhii*'*^,  Ram  Krishnan*, 

Jianwci  and  William  H.  Winsbcrough^ 

’  Instiiuie  for  Cyber  Security 
^  Department  of  Computer  Science 
University  of  Texas  at  San  Antonio 
{ravi . sandhu, ram. krishnan}@utsa . edu. 
niu@cs.utsa. edu. wwinsborough@acm . org 


Abstract.  To  share  inlorniaiion  and  retain  control  (share -but- protect)  is  a  clas¬ 
sic  cyber  security  problem  for  which  effective  solutions  continue  to  be  elusive. 
Where  the  patterns  of  sharing  are  well  defined  and  slow  to  change  it  is  reason¬ 
able  to  apply  the  traditional  access  control  models  of  lattice-based,  role-based 
and  attribute-based  access  control,  along  with  discretionary  authorization  for  fur¬ 
ther  line-grained  control  as  required.  Proprietary  and  standard  rights  markup  lan¬ 
guages  have  been  developed  to  control  what  a  legitimate  recipient  can  do  with  the 
received  information  including  control  over  its  further  discretionary  dissemina¬ 
tion.  This  dis.semination-centric  approach  offers  considerable  flexibility  in  terms 
of  controlling  a  particular  information  object  with  respect  to  already  defined  at¬ 
tributes  of  users,  subjects  and  objects.  However,  it  has  many  of  the  same  or  similar 
problems  that  discretionary  access  control  manifests  relative  to  role-based  access 
conirol.  In  particular  specifying  information  sharing  patterns  beyond  those  sup¬ 
ported  by  currently  defined  authorization  attributes  is  cumbersome  or  infeasible. 
Recently  a  novel  mcxle  of  information  sharing  called  group-centric  was  intro¬ 
duced  by  these  authors.  Group-centric  secure  information  sharing  (g-SIS)  is  de¬ 
signed  to  be  agile  and  accommodate  ad  hoc  patterns  of  information  sharing.  In 
this  paper  we  review  g-SIS  models,  discuss  their  relationship  w  ith  traditional  ac¬ 
cess  control  models  and  demonstrate  their  agility  relative  to  these. 

Keywords:  DAC,  Groups,  UBAC,  MAC,  RBAC,  Secure  Information  Sharing. 


1  Introduction 

The  need  to  share  hut  protect  is  one  of  the  oldest  and  most  challenging  problems  for 
trustworthy  computing.  Salt/er-Schroeder  fl]  identified  the  desirability  and  difficulty 
of  maintaining  “some  control  over  the  user  of  the  information  even  after  it  has  been 
released."  The  ensuing  three  and  half  decades  have  further  compounded  the  technical 
difficulties  to  the  point  where  one  may  ask  if  it  is  even  reasonable  to  .seek  solutions.  The 
analog  hole  (2]  wherein  content  is  captured  at  the  point  it  is  rendered  into  human  per¬ 
ceptible  form  and  converted  back  into  unprotected  digital  form  highlights  the  intrinsic 
limits.  At  the  same  time  our  increasingly  information-rich  and  information-dependent 

I  Kotenko  :ind  V.  Skormin  (Eds.):  MMM-ACNS  2010,  LNCS  62S8,  pp.  .*55-^9.  2010. 

©  Springer- Verlag  Berlin  Heidelberg  2010 


56  R.  Sandhu  et  al. 


society  needs  to  exploit  secure  information  sharing  (SIS)  to  fully  benefit  from  the  pro¬ 
ductivity,  social  and  national  security  benefits  of  the  ongoing  cyber  revolution. 

SIS  presents  two  major  research  challenges.  The  containment  challenge  is  to  ensure 
that  protected  information  is  accessible  on  the  recipient’s  computer  only  as  permitted 
by  policy,  including  inability  to  make  unprotected  or  less-protected  copies.  The  latter 
has  inherent  limits  such  as  the  analog  hole.  Containment  requires  a  trusted  computing 
base  on  the  recipient's  machine  and  a  mix  of  cryptography  and  access  control,  with 
the  degree  of  assurance  correlated  with  tamper-resistance.  There  is  a  rich  literature  on 
containment  including  the  currently  dominant  TCG  approach  [31.  While  high  assurance 
is  elusive  and  may  remain  so,  there  is  consensus  that  low  to  medium  assurance  is  within 
state-of-the-art. 

In  this  paper,  we  assume  that  adequate  assurance  for  containment  is  available  com¬ 
mensurate  with  the  application.  We  focus  on  the  policy  challenge  of  specifying,  analyz¬ 
ing  and  enforcing  SIS  policies  assuming  adequate  containment.  A  basic  premise  is  that 
this  requires  new  access  control  models  that  can  integrate  and  go  beyond  earlier  ones, 
have  intuitive  grounding  and  rigorous  mathematical  foundations,  are  usable  by  the  or¬ 
dinary  citizen  and  enforceable  in  distributed  systems.  The  paper  will  build  upon  a  novel 
approach  called  Group-centric  Secure  Information  Sharing  (g-SlS)  recently  introduced 
by  the  authors  [4,5,6 1.  Another  basic  premise  is  that  the  policy  challenge  in  specifying 
and  analyzing  the  intrinsic  application  policy  should  be  clearly  separated  from  enforce¬ 
ment  poliey  issues  that  arise  due  to  the  realities  and  practicalities  of  a  distributed  system. 
Following  [7,8,9|  we  call  the.se  respectively  P-layer  (for  application  policy)  and  E-layer 
(for  enforcement  poliey)  concerns.  These  premises  are  elaborated  helow. 

Although  many  access  control  models  have  been  published  and  analyzed,  only  three 
have  received  meaningful  practical  traction  [I Of  Discretionary  access  control 
(DAC)  [11,12,131  enforces  controls  on  sharing  information  at  the  discretion  of  the 
“owner”  of  the  information  hut  fails  containment  completely  by  allowing  unprotected 
copies  to  be  made.  (Originator  Control  or  ORCON  [14,15,16,17]  attaches  policies  from 
the  original  to  the  copies  to  fix  this  defect,  but  does  not  directly  address  the  policy  chal¬ 
lenge.)  Lattice-based  access  control  (LBAC)  [1 1,18,19,201  restricts  information  to  flow 
in  one  direction  in  a  lattice  of  security  labels.  Copies  inherit  the  least  upper  bound  of 
labels  from  the  originals  and  remain  contained.  Information  .sharing  in  LBAC  is  essen¬ 
tially  preordained  in  that  information  is  either  not  shared  or  shared  with  everyone  who 
has  a  sufficiently  strong  clearance.  Any  deviation  from  this  pattern  requires  creation  of 
a  new  label,  which  is  not  supported  in  existing  LBAC  models  and  breaks  their  exist¬ 
ing  mathematical  foundations.  Rolc-ha.sed  access  control  (RBAC)  [21,22]  is  designed 
to  facilitate  assigning  permissions  based  on  job  function  and  such  considerations.  Al¬ 
though  RBAC  can  be  configured  to  enforce  DAC  and  LBAC  [23]  it  is  not  de.signed  with 
information  sharing  in  mind,  so  it  does  not  directly  address  the  containment  or  policy 
challenges.  (Attribute-based  access  control  models  such  as  UCON  [24]  and  XACML 
[25]  use  general  attrihutes  in  addition  to  roles  and  security  labels,  but  likewi.se  do  not 
directly  address  eontainment  or  policy.)  This  bears  out  the  premise  that  new  access 
control  models  are  needed  for  SIS.  At  the  same  time  these  successful  elassie  models 
embody  intuitions  and  principles  that  are  likely  to  be  vital  to  a  eomprehensive  solution. 


Group-Centric  Models  for  Secure  and  Agile  Information  Sharing  57 


Connected, 

differentiated 


Isolated, 

differentiated 


Isolated, 

undifferentiated 


Fig.  1.  A  family  of  g-SIS  models 


The  premise  of  sharply  separating  P-  and  E-layers  builds  on  the  much  practised  pol- 
iey/mechanism  separation  principle  first  articulated  in  HYDRA  [26].  P-layer  specifica¬ 
tions  express  a  policy  that  is  ideal  in  the  sense  that  it  ignores  issues  such  as  distributed 
authorization  state,  network  latency,  caching,  and  requirements  for  off-line  use.  R-layei 
specifications  define  authorization  decisions  that  approximate  those  given  by  the  ideal 
policy  in  a  manner  that  provides  the  desired  application-dependent  balance  between 
resource  availability  and  timely  propagation  of  authorization-state  changes.  They  also 
include  additional  entities  such  as  trusted  authorization/revocation  servers  which  are 
abstracted  out  at  the  P-layer. 

This  paper  primarily  focu.sscs  on  P-layer  aspects  of  g-SIS.  In  g-SIS,  users  and  in¬ 
formation  come  together  in  a  group  to  facilitate  sharing.  Users  gain  access  to  group 
information  by  virtue  of  membership.  Likewise  information  is  made  available  to  mem¬ 
bers  by  adding  it  to  the  group.  Constituting  a  group  as  the  unit  of  SIS  provides  many 
of  the  same  benefits  of  using  roles  versus  individual  users  for  permission  distribution. 
Two  useful  metaphors  for  a  g-SlS  group  are  a  subscription  service  and  a  secure  meeting 
room.  Subscription  disseminates  information  to  subscribers  who  participate  in  blogs 
and  forums.  A  meeting  room  brings  people  together  to  share  information  available  in 
the  room.  The  times  at  which  users  join  and  leave  and  at  which  objects  are  added  and 
removed  affect  user  authorizations  both  during  and  after  periods  of  group  membership. 
For  example,  in  the  much  studied  secure  multicast  problem  [27]  new  members  joining 
the  group  cannot  access  content  added  prior  to  joining  (backward  secrecy)  and  mem¬ 
bers  leaving  the  group  cannot  access  new  content  thereafter  (forward  secrecy).  The 
requirements  of  a  committee  meeting  room  could  allow  members  access  to  older  in¬ 
formation  once  they  join  (no  backward  secrecy).  These  metaphors  further  indicate  the 
need  for  multiple  groups.  In  the  simplest  case  we  can  have  multiple  groups  that  are 
isolated  or  independent  in  that  membership  in  one  group  has  no  impact  on  what  a  user 
can  di)  in  another  group,  whereas  with  coupled  or  connected  groups  such  impact  can 
occur.  A  theory  of  g-SlS  thus  needs  to  model  and  enable  specification  of  such  temporal 
and  coupling  interactions.  Looking  within  a  group  we  can  distinguish  undifferentiated 
versus  differentiated  groups.  In  an  undifferentiated  group  user  authorizations  arc  undif¬ 
ferentiated  once  users  are  admitted  into  the  group.  Specifically,  authorizations  do  not 
depend  on  attributes  other  than  group  membership  (and  associated  temporal  relations 
between  users  and  objects  as  discus.scd  above  earlier).  Combining  these  two  character¬ 
istics  of  groups  we  have  four  possible  cases  shown  in  figure  1  for  g-SIS  models.  In  this 


58  R.  Sandhu  et  al. 


figure  the  lowest  class  (isolated,  undifferentiated)  is  included  in  all  the  higher  classes; 
the  highest  class  (connected,  differentiated)  includes  all  the  others;  and  the  two  classes 
in  the  middle  (isolated,  differentiated)  and  (connected,  undifferentiated)  are  incompa¬ 
rable  in  this  respect. 

Our  prior  work  [5]  primarily  focussed  on  the  isolated  group  model.  In  this  paper,  we 
outline  our  vision  on  building  the  connected,  undifferentiated  group  model  and  com¬ 
pare  it  with  classic  access  control  models  such  as  LBAC,  Domain  and  Type  Enforce¬ 
ment  [28]  and  RBAC.  We  show  that  our  proposed  connected,  undifferentiated  group 
model  can  express  such  policies  and  conveniently  handle  more  dynamic  information 
.sharing  scenarios.  The  remainder  of  this  paper  is  organized  as  follows.  In  section  2, 
we  briefly  review  the  isolated  group  model.  In  section  3,  we  discuss  candidate  inter¬ 
group  relationships  for  the  connected  group  model.  We  also  discuss  constructions  of 
LBAC  [20]  and  a  read-write  RBACq  model  |22]  and  demonstrate  the  agility  of  the 
connected  group  model  in  relation  to  these.  We  conclude  in  section  4. 


2  Background 

Group-Centric  models  for  secure  information  sharing  (g-SlS)  have  been  recently  in¬ 
troduced  [4,5,6].  In  this  paper  we  focus  entirely  on  undifferentiated  groups.  There  are 
then  two  classes  of  g-SlS  models:  isolated,  undifferentiated  (g-SlS')  and  connected,  un¬ 
differentiated  (g-SlS^").  For  convenience  we  will  henceforth  drop  explicit  mention  of 
undifferentiated  and  simply  call  these  two  classes  isolated  and  connected  respectively. 
In  g-SIS',  groups  are  isolated  in  the  sense  that  they  do  not  directly  interact  with  each 
other.  For  instance,  a  user’s  membership  in  one  group  has  no  implication  on  her  autho¬ 
rizations  in  other  groups.  Our  prior  work  [4,5,6]  focusses  primarily  on  isolated  g-S!S 
models.  In  g-SIS^,  groups  may  be  related.  For  instance,  user's  membership  in  one  group 
may  be  contingent  upon  her  membership  in  another  group  or  groups  could  be  hierarchi¬ 
cal  where  users  in  one  group  may  dominate  another  group.  In  this  section,  we  briefly 
review  the  core  aspects  of  isolated  g-SlS  models.  In  the  subsequent  sections,  we  discuss 
candidate  relationships  in  the  connected  group  models. 

In  g-SIS',  a  group  is  established,  for  instance,  between  two  or  more  organizations 
for  a  specific  purpose.  Users  from  these  organizations  may  join,  leave  and  possibly 
re-join  the  group.  Similarly,  objects  from  participating  organizations  may  be  added, 
removed  and  po.ssibly  re-added.  Users  in  the  group  may  read  and  write  such  group 
objects  and  potentially  create  new  objects  in  the  group.  Such  new  objects  typically 
represent  intellectual  property  created  as  a  result  of  collaboration  between  participating 
organizations.  In  such  scenarios,  authorizations  in  the  group  may  depend  upon  various 
aspects  such  as  the  time  at  which  a  user  joined  and  the  time  at  which  the  object  was 
added.  Specifically,  there  is  a  requirement  of  simultaneous  membership  of  a  user  and 
an  object  in  order  to  be  able  to  read/writc  the  object. 

g-SlS'  recognizes  a  range  of  group  policies.  For  instance,  in  some  scenarios,  users 
may  be  authorized  to  access  certain  objects  even  after  leaving  the  group.  In  another,  a 
joining  user  may  access  objects  added  prior  to  her  join  time.  Two  metaphors  highlight 
such  scenarios:  secure  meeting  room  and  subscription  service.  For  the  secure  meeting 
room  metaphor,  consider  a  program  committee  meeting  where  participants  discuss  in  a 


Group-Centric  M(xlcls  for  Secure  and  Agile  Information  Sharing  59 


room.  Suppose,  Alice  is  a  member  whose  paper  is  currently  discussed.  Typically,  Alice 
.steps  out  of  the  room  for  a  brief  period.  During  this  period,  Alice  may  retain  access  to 
discussions  that  occurred  prior  to  the  lime  at  which  she  left  the  room.  Further,  on  re¬ 
joining  the  room  at  a  later  period,  her  access  to  discussions  resumes  (except  those  that 
occurred  during  her  period  of  absence).  In  another  scenario  (where  Alice  to  had  to  step 
out  of  the  room  for  reasons  other  than  conflict-of-interest),  discussions  that  occurred 
during  Alice's  absence  may  be  recorded  in  a  while  board  and  she  may  access  them 
on  re-join. 

For  the  subscription  service  metaphor,  consider  a  secure  multicast  network  which 
typically  has  a  notion  of  backward  and  forward  secrecy.  When  a  node  joins  the  multicast 
network,  it  cannot  access  data  distributed  on  the  network  prior  to  join  time  (backward 
secrecy).  When  a  node  leaves  the  network,  it  cannot  access  data  shared  between  other 
nodes  alter  leave  lime  (forward  secrecy). 

In  general,  there  could  be  numerous  variations  of  such  policies  in  g-SlS‘.  A  g-SlS' 
specification  characterizes  the  precise  conditions  under  which  a  user  is  authorized  to 
perform  a  certain  action  (such  read  and  write)  on  an  object.  All  g-SIS’  specifications 
arc  required  to  satisfy  a  set  of  core  properties.  The  core  properties  specify  under  what 
conditions  it  is  appropriate  for  a  specilicaiion  to  hold  in  the  g-SIS’  model.  We  informally 
discuss  these  properties  below  (.sec  [5]  for  a  formal  treatment). 

Persistence  Properties:  This  class  of  properties  specifies  that  authorization  may  not 
change  unlc.ss  some  aulhori/alion  changing  event  occurs.  In  g-SIS',  authorization 
changing  events  include  a  user  joining  and  leaving  a  group  and  an  object  being 
added  and  removed  from  a  group.  Authorization  (or  Revocation)  persistence  prop¬ 
erly  stales  that  if  a  user  is  authorized  (or  not  authorized)  to  access  an  object  in  a 
group,  .she  will  remain  so  unless  one  of  the  authorization  changing  event  occurs. 

Authorization  Provenance:  This  class  of  properties  is  concerned  about  when  autho¬ 
rization  may  begin  to  hold.  As  mentioned  earlier,  in  certain  scenarios,  it  is  possible 
that  a  user  may  be  able  to  access  a  group  object  even  after  leaving  the  group.  (For 
instance,  after  the  subscription  ends,  the  user  may  retain  access  to  articles  that  she 
had  paid  for.)  This  property  .states  that  a  user's  authorization  to  access  an  object 
may  begin  to  hold  for  the  first  time  only  after  a  simultaneous  period  of  group  mem¬ 
bership  between  the  user  and  the  object  in  question.  Note  that  subsequent  limes  at 
which  the  same  authorization  holds  have  no  such  requirement.  Thus  it  is  possible 
to  construct  a  valid  g-SlS'  specification  in  which  after  an  initial  overlapping  period 
of  user  and  object  membership,  the  user  may  continue  to  remain  authorized  for  that 
object  even  after  leaving  the  group  (or  even  after  the  object  is  removed  from  the 
group). 

Bounded  Authorization:  This  class  of  properties  is  concerned  about  what  authoriza¬ 
tions  arc  allowed  to  hold  during  the  non -membership  periods  of  u.sers/objccts.  For 
users,  the  property  states  that  the  set  of  objects  that  a  user  is  authorized  to  access 
after  she  leaves  the  group  cannot  increase  after  leave  time.  (Note  that  she  may  lose 
access  to  such  objects  after  leave  time  but  she  cannot  gain  access  to  new  objects  af¬ 
ter  leaving  the  group.)  Similarly,  for  objects,  the  property  states  that  the  set  of  users 
authorized  to  access  an  object  after  it  is  removed  from  the  group  cannot  increase 
after  remove  time. 


60  R  Sandhu  et  al. 


tubofdR 

•ubordC 

tubordM 


Fig.  2,  A  snapshot  of  relationships  l:>etween  various  groups 


In  [5],  we  characterized  a  variety  of  useful  authorization  semantics  for  user  join  and 
leave  operations  and  object  add  and  remove  operations.  For  instance,  a  Strict  join  to  a 
group  restricts  a  user’s  access  to  objects  added  to  the  group  after  join  join  time  while 
a  Liberal  join  allows  access  to  all  objects.  We  also  developed  a  family  of  g-SIS‘  spec¬ 
ifications  ba.scd  on  such  authorization  semantics  and  showed  that  they  satisfy  the  core 
properties.  In  our  follow  on  work,  we  have  also  shown  that  the  core  properties  are  logi¬ 
cally  consistent  and  mutually  independent.  We  have  further  considered  additional  core 
properties  in  light  of  versioning  .support  for  object  write.  Here  each  object  is  composed 
of  a  growing  set  of  versions  and  any  specific  version  may  be  written  to  create  a  new 
version.  Further,  the  core  properties  accommodate  additional  authorization  changing 
operations  such  as  update  and  object  create. 

3  Connected  Group  g-SIS  Models 

In  this  section,  we  introduce  a  connected  g-SIS  model  (g-SIS^)  where  groups  are  con¬ 
nected  by  some  type  of  relationship.  Before  we  discuss  these  relationships,  it  is  impor¬ 
tant  wc  distinguish  the  notion  of  user  from  that  of  a  subject  in  access  control.  Typically, 
user  a  representation  of  a  human  being  in  the  system  (e.g.  user  id)  and  subjects  represent 
processes  (e.g.  a  word  processing  program)  that  a  user  may  create  to  carry  out  various 
tasks.  A  user  is  typically  trusted,  within  limits,  in  the  system  while  a  subject  is  not.  For 
instance,  a  subject  may  be  a  trojan  horse  performing  some  hidden  malicious  activities 
such  as  a  word  processing  program  uploading  contents  to  a  remote  server.  Thus  a  user 
may  create  a  subject  with  restricted  privileges  for  containment  purposes. 

3.1  Inter-group  Relationship  Semantics  in  g-SIS*^ 

We  discuss  a  few  candidate  inter-group  relationships  for  the  g-SIS*"  model  below: 

1.  Conditional  Membership  (condM):  A  conditional  membership  relation  between 
two  groups  specifies  that  a  users  membership  in  one  group  is  contingent  upon  her 
membership  in  another  group.  We  define  conditional  membership  relation  to  be 
reflexive.  Transitivity  and  symmetry  must  be  explicitly  defined  if  required.  Con¬ 
ditional  membership  requirements  arc  common  in  collaboration  scenarios.  For  in¬ 
stance,  consider  a  collaboration  group  g3  established  between  two  organizations 


Group-Centric  Models  for  Secure  and  Agile  Information  Sharing  61 


represented  by  groups  gl  and  g2  respectively  (see  figure  2).  It  is  typical  that  ev¬ 
ery  user  in  g3  is  required  to  be  a  member  of  either  gl  or  g2.  The  definitions 
condM(g3,gl)  and  condM(g3,g2)  can  easily  specify  this  requirement.  Note  that 
conditional  membership  is  a  relation  defined  between  groups  for  users.  It  does  not 
specify  any  direct  requirement  on  subjects. 

2.  Subordination:  The  subordination  relations,  in  general,  characterize  the  notion  of 
one  entity  dominating  another.  In  g-SlS"^,  we  define  a  number  of  subordination  re¬ 
lations  where  one  group  dominates  another  in  different  ways.  Again,  all  of  these 
relationships  are  reflexive  by  definition.  Transiti\  ity  and  symmetry  must  be  explic¬ 
itly  defined  if  required. 

-  Create  Subordination  (subordC):  A  subordC(g3,g5)  definition  states  that  users 
in  group  g3  may  create  subjects  in  group  g5. 

-  Read  Subordination  (subordR):  A  siibordR(g3,g5)  definition  states  that  sub¬ 
jects  in  group  g3  may  read  objects  in  group  g5. 

-  Write  Subordination  (siibordW):  A  subordW(g4,g3)  definition  states  that  sub¬ 
jects  in  group  g4  may  write  to  objects  in  group  g3. 

-  Move  Subordination  (siibordM):  A  subordM(g3,g5)  definition  states  that  sub¬ 
jects  in  group  g3  may  move  to  group  g5.  After  moving  to  g5,  the  subject  no 
longer  resides  in  g3  which  may  result  in  losing  access  to  objects  in  g3. 

Evidently,  these  subordination  relations  allow  users  in  one  group  to  read  and  write 
objects  in  another  related  group  by  means  of  their  subjects. 

3.  Mutual  Exclusion:  Two  groups  may  be  specified  to  be  mutual  exclusive  with  respect 
to  membership.  That  is  a  user  (or  an  object)  may  not  be  a  member  of  mutually 
exclusive  groups  at  the  same  time.  Furthermore,  dynamic  mutual  exclusion  can 
also  be  specified  where  a  user  may  be  a  member  of  two  mutually  exclusive  groups 
but  cannot  create  subjects  in  the  two  groups  at  the  same  time. 

4.  Cardinality:  There  could  be  many  different  types  of  cardinality  constraints.  For 
instance,  a  group  could  have  membership  cardinality  for  users,  subjects  and  objects. 
Furthermore,  a  cardinality  restriction  on  the  number  of  relationships  that  a  group 
may  have  with  other  groups  could  be  specified. 

Figure  2  shows  a  snapshot  of  relationships  established  between  different  groups.  An 
important  aspect  of  g-SlS^  is  that  relationships  may  change  over  time  as  per  the  varying 
requirements  of  the  information  sharing  or  collaboration  application. 

3.2  Configuring  LBAC  Policies  in  g-SIS^ 

In  this  section,  we  di.seiiss  how  Lattice- Based  Access  Control  [20]  policies  such  as  Bell- 
LaPadula  [  1 8]  information  flow  policies  can  be  easily  configured  using  the  relationships 
defined  in  g-SIS^.  We  also  demonstrate  the  agility  of  g-SIS^  by  shoing  how  it  addresses 
some  of  the  limitations  of  LBAC  models. 

Figure  3(a)  shows  two  sample  Bell-LaPadula  lattiees  for  orgs  A  and  B.  The  org  A 
lattice  has  four  security  labels:  L,  M 1 ,  M2  and  H.  In  LBAC,  the  domination  relationship 
is  reflexive,  transitive  and  anti-symmetric.  In  this  lattice,  MI  and  M2  dominate  L  and 
H  dominates  Ml  and  M2  (and  L  by  transitivity).  Ml  and  M2  are  incomparable.  As 
per  standard  terminology,  users  are  assigned  one  of  these  four  security  clearances  and 


62  K.  Sandhu  ct  al. 


♦  TS 


S 

C 

u 


Org  A 


Org  B 


G  H 


G  L 


(a)  A  sample  lattice  for  one-  (b)  An  equivalent  g-SlS'’  configuration  of  org  A 

directional  information  llow.  lattice. 


Fig.  3.  LB  AC  in  g-SlS*^ 


objects  are  assigned  one  of  these  four  classifications.  Users  may  then  create  a  subject 
with  a  clearance  that  is  dominated  by  the  user’s  clearance.  A  subject  may  read  objects 
whose  classifications  are  dominated  by  the  subject's  clearance,  A  subject  may  write  to 
objects  whose  classificalions  dominate  the  subject's  security  clearance. 

Figure  3(b)  shows  an  equivalent  construction  of  org  A  lattice  in  g-SIS^.  It  consists 
of  four  groups  G-L,  G.Ml,  G_M2  and  G.H  rcpre.senting  the  labels  L,  Ml,  M2  and  H 
respectively.  Read,  write  and  subject  create  subordination  relationships  have  been  de¬ 
fined  according  to  the  specification  of  the  org  A  lattice  in  figure  3(a).  The  subordination 
relationships  are  defined  in  such  a  manner  that  a  group  at  the  arrow  end  is  subordinate 
to  the  group  at  the  tail  end.  For  instance,  G  JVI 1  is  both  create  subject  and  read  subor¬ 
dinate  to  G_H,  while  G_H  is  write  subordinate  to  G  JVI  1 ,  Since  the  relationships  are  not 
transitive,  we  needed  to  define  direct  subordination  relationships  between  G_H  and  G-L 
as  shown  in  the  figure. 

Suppose  orgs  A  and  B  in  figure  3(a)  need  to  collaborate  on  a  mission.  Specifically, 
suppose  that  org  B  wants  to  share  all  its  S  classified  objects  (but  not  its  TS  and  C  clas¬ 
sified  objects)  with  H  cleared  users  in  org  A.  This  is  not  feasible  by  simple  adjustments 
to  the  two  lattices  in  figure  3(a). 

Figure  4  shows  a  construction  in  g-STS^^  that  allows  such  collaboration  scenarios.  By 
assigning  a  read  .subordination  relation  between  groups  G_H  and  G_S  and  groups  G_H 
and  G-C  respectively,  org  B  is  able  to  allow  H  cleared  org  A  users  to  read  both  S  and 
C  classified  org  B  objects.  If  the  subordRrclation  is  excluded  between  G_H  and  G_C, 
read  access  can  be  restricted  to  S  cleared  objects.*  Note  that  other  types  of  subordina¬ 
tion  relationships  may  be  specified  between  org  A  groups  and  org  B  groups  to  realize 

'  It  is  tme  that  information  may  flow  from  G_C  to  G_S  and  thus  restricting  org  A  users'  aceess 
only  to  G_S  may  not  be  completely  feasible.  Nevertheless,  only  information  that  is  explicitly 
copied  from  G_C  to  G_S  by  a  subjeet  is  available  to  G_H  u.sers.  G-H  users  do  not  have  direct 
access  to  G.C  objects. 


Group'Ceniric  Mixlels  for  Secure  and  Agile  Information  Sharing 


63 


Org  A  Org  B 


Fig. 4.  Agile  collaboration  enabled  by  g-SlS^ 


other  interesting  policies.  For  instance,  G_L  users  may  be  allowed  to  write  to  G_TS  ob¬ 
jects  by  defining  subordW(G_L,  G  TS).  These  relationships  arc  temporary  and  may  be 
terminated  or  modified  as  collaboration  evolves. 

Now  consider  another  collaboration  .scenario  illustrated  in  figure  5.  Suppose  org  A 
and  org  B  need  to  collaborate  on  a  mission.  They  establish  groups  G1  and  G2.  TS 
users/objects  from  org  A  and  H  users/objecis  from  org  B  may  join/be  added  to  G 1  (sim¬ 
ilarly  for  G2).  Conditional  membership  relations  between  groups  TS  and  G I  and  groups 
H  and  G1  are  respectively  delincd.  This  ensures  that  if  a  user  leaves  the  source  orga¬ 
nization,  her  membership  in  G1/G2  is  automatically  terminated.  New  information  may 
be  created  in  G1  and  G2  as  a  result  of  collaboration  which  may  be  exported  to  groups 
El  and  E2  respectively.  The  export  operation  may  be  performed  only  by  special  sub¬ 
jects  that  have  administrative  rights  in  the  system.  By  defining  a  subordRrelalion.ship 
between  respective  source  organization  groups  and  these  export  groups,  we  allow  peri¬ 
odic  updates  about  the  mission  to  be  communicated  to  users  in  source  organizations. 

3.3  Configuring  Domain  and  l^pe  Enforcement  in  g-SIS^ 

Domain  and  Type  Enforcement  (DTE)  (see  [28]  for  example)  assigns  a  subject  to  a 
specific  domain  and  an  object  to  a  specific  type  and  enforces  information  flow  by  spec¬ 
ifying  the  read  and  write  permissions  in  the  form  of  a  matrix.  A  classic  example  of 
the  application  of  DTE  is  to  address  the  problem  of  trusted  pipelines.  Suppose  org  A 
(figure  3(a))  needs  to  enforce  that  information  may  flow  from  L  to  H  but  only  via  M  1 
or  M2.‘  This  is  not  possible  to  achieve  in  classic  LBAC.  Due  to  the  transitive  nature 

■  For  instance,  before  a  subject  at  some  clearance  level  may  write  to  a  print  queue,  the  d(KU- 
ment  needs  to  be  sent  to  a  trusted  print  queue  manager  that  visibly  stamps*  every  page  of  the 
document  to  be  printed  with  the  correct  label.  In  this  scenario,  the  subject  should  not  bypass 
the  queue  manager  and  write  to  the  printer  directly. 


64  R.  Sandhu  et  al. 


Org  A  Collaboration  Org  B 

Groups 


Fig. 5.  A  collaboration  scenario  between  orgs  A  and  B.  The  four  groups  in  the  middle  column 
(Gl,  G2,  El  and  E2)  arc  established  for  collaboration  between  org  A  (groups  in  first  column) 
and  org  B  (groups  in  third  column).  Groups  El  and  E2  are  used  for  exporting  new  information 
created  as  a  re.sult  of  collaboration  to  Gl  and  G2  respectively.  As  indicated,  the  export  operation 
may  be  perfonned  only  by  trustedyadmini strati ve  subjects. 


Objects 


Subjects 

▼ 


Domain 

H_Ty 

M1_Ty 

M2_Ty 

L_Ty 

H_Dom 

IW 

r 

r 

r 

MIDom 

w 

rw 

- 

r 

M2_Dom 

w 

- 

rw 

r 

L  Dom 

- 

w 

w 

rw 

Fig. 6.  A  DTE  matrix  to  enforce  a  trusted  pipeline  from  L  to  H  via  Ml  or  M2  for  org  A  lattice  in 
figure  3(a).  Note  that  a  subject  in  L_Dom  cannot  write  directly  to  objects  in  H,Ty. 


of  domination  relation,  subjects  in  L  may  directly  write  to  objects  in  H  (bypassing  MI 
and  M2).  In  order  to  achieve  this.  DTE  a.ssigns  .subjects  to  domains  (instead  of  security 
clearances)  and  objects  to  types  (instead  of  classifications)  and  specifies  the  rights  in 
the  form  a  matrix  as  shown  in  figure  6.  Note  that,  as  per  this  matrix,  a  subject  in  L_Dom 
cannot  directly  write  to  H_Ty.  However.  L_Dom  subjects  may  write,  for  instance,  to 
Ml_Ty  and  M  l_Dom  subjects  may  then  read  that  object  and  write  to  H_Ty. 

Figure  7  shows  an  equivalent  g-SIS^  configuration  for  the  DTE  matrix  in  figure  6. 
Users  join  one  of  the  four  first  level  of  groups  (H_G.  Ml  _G.  M2^G  and  L_G).  The  sec¬ 
ond  level  of  groups  represent  domains  for  subjects.  A  user  in  one  of  the  first  level  groups 


Group-Centric  Models  tor  Secure  and  Agile  liitbrnuuioii  Sharing  65 


M2  G 


M2_Ty 


H.Ty 


M1_G 


M1_Ty 


Fig.  7.  An  equivalent  g-SIS^  configuration  of  the  DTFI  matrix  in  figure  6.  Users  join  one  of  the 
first  level  of  groups  (light  gray).  Users  may  create  subjects  in  the  second  level  groups  representing 
domains.  Objects  belong  to  the  third  level  groups  (dark  gray)  repre.senting  types. 


may  create  a  subject  in  the  second  level  domain  groups  as  per  the  create  subject  subor¬ 
dination  relation  (subordC)  defined  between  them.  The  third  level  of  groups  represent 
the  types  for  objects.  Read  and  write  subordination  relations  are  defined  between  the 
domain  and  type  groups  as  per  the  DTE  matrix  in  figure  6.^ 

3.4  Configuring  RBAC  Policies  in  g-SIS^ 

In  this  section,  we  show  the  configuration  of  Role-Based  Access  Control  (RBAC)  mod¬ 
els  122]  in  g-SlS^.  In  RBAC,  a  .set  of  roles  arc  created  which  typically  represent  job 
f  unctions  of  users  (employees)  in  an  organization.  Each  role  is  assigned  with  a  .set  of 
abstract  permissions  (permission-role  assignment)  such  as  credit  and  dehit  and  users  are 
assigned  to  specific  roles  (user-role  assignment).  Users  may  activate  any  combination  of 
roles  assigned  to  them  by  creating  a  se.s.sion.  Sessions  in  RBAC  are  similar  to  subjects. 
The  permissions  available  to  a  user  in  a  session  is  the  set  of  all  permissions  assigned  to 
the  set  of  roles  activated  in  the  session  by  the  user.  U.sers  may  dynamically  activate  and 
de-aetivate  speeihe  roles  in  the  session  for  containment  purposes.  A  family  of  models 
have  been  specified  in  the  well-known  RBAC96  [22].  RBACo  is  the  basic  model  de- 
.scribed  above.  RBACi  supports  role  hierarchies  (where  a  role  inherits  the  permissions 
of  other  roles  that  it  dominates).  RBAC2  supports  constraints  such  as  separation  of  duty 
and  role  cardinality.  RBAC.^  supports  all  the  features  of  RBACq,  RBACi  ‘ind  RBACj 
models. 

Here  we  only  discuss  the  basic  model,  RBACo.  g-SlS*^  is  a  model  for  information 
sharing  where  read  and  write  permissions  to  objects  are  of  concern.  However  RBAC 
supports  abstract  permissions  (to  accommodate  varied  permissions  in  an  organization) 
and  hence  it  is  not  feasible  to  directly  configure  RBAC  policies  in  g-SlS''.  For  the 

^  The  figure  outlines  the  approach  for  the  construction  but  excludes  some  finer  details.  For  in¬ 
stance,  users/objects  may  not  be  members  of  domain  groups  and  hence  we  need  a  user/object 
memhership  cardinality  constraint  on  those  groups.  Similarly,  users  cannot  join  more  than  one 
of  the  lirst  level  groups  w  hich  requires  a  mutual  exclusion  constraint  between  those  groups. 


66  R.  Sandhu  ei  al. 


R1  G  R1R2_G  R2  G 


Roa<j_01  Wr«e_01  RBfld_02  Wnto_02 


Fig.  8.  An  equivalent  g-SIS^^  configuration  for  the  RBACJJ*  model 

purpose  of  our  construction,  we  consider  an  RBACq  model  with  only  read  and  write 
permissions  to  objects.  Thus  for  every  object,  we  have  two  permissions:  one  to  read  and 
the  other  to  write  that  object.  We  denote  this  read-write  RBACq  model  as  RBACf^. 

Consider  two  roles  R1  and  R2  and  two  objects  01  and  02.  As  mentioned  earlier, 
we  have  two  permissions  (read  and  write)  for  each  object,  resulting  in  a  total  of  four 
permissions.  Suppose  Rl  is  assigned  permissions  to  read  and  write  OI  and  R2  is  as¬ 
signed  permissions  to  read  and  write  02.  Figure  8  shows  an  example  construction  of 
RBACf^  model  with  two  roles  Rl  and  R2  and  two  objects  OI  and  02  in  g-SIS^.  The 
first  level  of  unshaded  groups  (RI.G,  R2>G  and  R1R2.G)  represent  groups  for  user- 
role  assignment.  A  user  may  be  a  member  of  one  of  these  groups.  For  instance,  users  in 
RLG  have  role  Rl  while  users  in  R1R2_G  are  assigned  to  roles  Rl  and  R2.  The  second 
level  of  light-gray  groups  represent  sessions.  Note  that  the  group  R1R2'_S  represents 
activating  a  session  with  no  roles  assigned.  The  second  level  of  groups  are  related  to 
unshaded  groups  using  subordCrelations  specifying  the  rules  for  subject  creation  (sim¬ 
ilar  to  session  in  RBAC^).  Note  that  subjects  may  move  between  the  light-gray  groups 
as  per  the  subordMrelation  defined.  This  allows  users  to  activate  and  de-aetivate  a  role 
dynamically.*^  Finally,  the  last  level  of  dark-gray  groups  represent  object  permissions. 
Groups  Read-Ol  and  Write.Ol  and  Read_02  and  Write_02  represent  permissions  for 
objects  OI  and  02  respectively.  These  groups  are  related  to  the  light-gray  groups  as 
per  the  requirements  of  permission-role  assignment.  In  the  figure,  roles  Rl  and  R2  have 
read  and  write  permissions  to  objects  OI  and  02  respectively.  Thus  users  assigned  to 
both  roles  Rl  and  R2  have  read  and  write  permissions  to  both  objects  OI  and  02.  The 
subordRand  subordWrelations  defined  in  figure  8  reflect  this  configuration. 

^  Again,  constraints  are  necessary  for  a  complete  construction.  For  instance,  a  subject  may  move 
from  R I  _S  or  R2_S  to  R I  R2_S  only  if  the  user  who  owns  the  subject  is  a  member  of  R 1  R2_G. 
Additional  constraints  are  also  necessary  to  ensure  that  users  are  not  assigned  to  more  than  one 
of  RLG,  R2_G  andRlR2_G. 


Groiip-Ceniric  Models  for  Secure  and  Agile  Informalion  Sharing  67 


4  Conclusion  and  Discussion 

We  presented  some  of  design  choices  for  a  connected,  undifferentiated  group  g-SlS 
model  and  demonstrated  its  agility  with  respect  to  the  ease  with  which  changes  to  infor¬ 
mation  How /sharing  pattern  in  classic  LBAC  models  can  be  efficiently  handled.  We  also 
showed  an  equivalent  representation  of  an  RBAC  model  with  read-write  permissions. 
Because  of  this  result  and  as  per  123],  we  claim  it  is  feasible  to  configure  Discretionary 
Access  Control  policies  in  g-SlS^.  This  positive  result  allows  a  system  to  use  the  same 
trusted  computing  ba.se  to  configure  any  of  the.se  policies.  Prior  work  on  non-transitive 
information  flow  in  the  literature  (see  [29|  for  example)  is  relevant  in  this  context.  How¬ 
ever,  g-SIS  is  far  richer  and  brings  in  additional  concepts  such  as  subject  creation  and 
movement  subordination.  Furthermore,  g-SIS  accommodates  various  useful  semantics 
for  group  operations  such  as  Join  and  leave  for  users  and  add  and  remove  for  objects  as 
illustrated  in  14,51. 

Another  area  of  related  work  is  that  of  Dynamic  Coalition  (see  for  example  |3().3 1 1). 
This  problem  is  concerned  about  forming  a  coalition  amongst  different  organizations, 
for  instance,  in  response  to  a  crisis.  Most  of  the  security  research  in  this  domain  has 
been  carried  out  in  the  enforcement  or  E-laycr  with  the  exception  of  a  few.  (For  in¬ 
stance,  in  132,33],  the  authors  focus  on  enriching  role-based  access  control  to  address 
the  challenges  involved  in  dynamic  coalition.)  While  dynamic  coalition  is  a  very  broad 
and  large-scale  problem,  the  focus  of  g-SIS  models  is  more  on  information  sharing. 
Specifically,  it  focusses  on  read  and  write  permissions  to  objects  and  containing  subject 
level  information  flow.  We  believe  that  g-SIS  policy  models  can  be  beneficially  used  in 
dynamic  coalition  .scenarios. 

Our  future  work  involves  formal  specification  and  analysis  of  a  connected  group 
g-SlS  model.  In  our  prior  work  |4,5.6.34],  we  have  formally  specified  and  analyzed  an 
i.solatcd  group  g-SlS  model.  We  arc  exploring  candidate  core  security  properties  for  the 
connected  g-SlS  model  similar  to  those  of  the  isolated  model.  A  major  challenge  in  the 
connected  model  is  that  relationships  are  not  static  like  that  of  LBAC  models.  Modern 
information  sharing  scenarios  are  dynamic  and  intcr-group  relationships  change  over 
time.  This  complicates  information  How  analysis  in  the  connected  model.  For  instance, 
information  may  flow  from  group  gl  to  g3  even  if  gl  and  g3  never  existed  at  the  same 
time  (it  may  currently  flow  from  gl  to  g2  and  from  g2  to  g3  in  the  future).  Thus,  unlike 
LBAC,  information  flow  properties  tend  to  be  temporal  in  nature  in  g-SlS^^. 

Acknowledgments 

The  authors  are  partially  supported  by  grants  from  NSF,  AFOSR  MURI,  THECB,  State 
of  Texas  Emerging  Tech.  Fund  and  Intel  Corp. 


References 

1.  Sall/er,  J.,  Schrocdcr.  M.:  I'he  proleclion  of  informalion  in  compuler  syslems.  Proceedings 
of  IEEE63(9),  1278-1308  (1975) 

2.  Wikipedia:  Analog  hole  (September  2009)  (Online;  accessed  December  15.  2009) 


68 


R.  Sandhu  ct  al. 


3.  TCG:  TCG  specification  architecture  overview  (August  2007), 
http : //WWW. trustedcomputinggroup, org 

4.  Krishnan,  R.,  Sandhu,  R.,  Niu,  J.,  Winsborough,  W.:  A  conceptual  framework  for  group¬ 
centric  secure  information  sharing.  ACM  Symposium  on  Information,  Computer  and  Comm. 
Security  (March  2(X)9) 

5.  Krishnan,  R.,  Sandhu,  R.,  Niu,  J.,  Winsborough,  W.H.:  Foundations  for  group-centric  .secure 
information  sharing  mcxlels.  In:  Proc.  of  ACM  Symposium  on  Access  Control  Models  and 
Technologies  (20<)9) 

6.  Krishnan,  R.,  Sandhu,  R.,  Niu,  J.,  Winsborough,  W.:  Towards  a  framework  for  group-centric 
secure  collaboration.  In:  Proceedings  of  IEEE  International  Conference  on  Collaborative 
Computing  (2{X)9) 

7.  Krishnan,  R.,  Sandhu,  R.,  Ranganathan,  K.:  PEI  models  towards  sealable,  usable  and  high- 
assurance  information  sharing.  In:  ACM  Sympo.sium  on  Access  Control  Models  and  Tech¬ 
nologies  (S  ACM  AT  2(X)7),  pp.  145-150.  ACM,  New  York  (2(X)7) 

8.  Sandhu,  R.:  The  PEI  framework  for  application-centric  security.  In:  Proceedings  of  5th  Inter¬ 
national  Conference  on  Collaborative  Computing:  Networking,  Applications  and  Workshar¬ 
ing  (2009) 

9.  Sandhu.  R..  Ranganathan,  K.,  Zhang,  X.:  Secure  information  sharing  enabled  by  trusted  com¬ 
puting  and  PEI  models.  In:  Pr(x:.  of  ACM  Symp.  on  Inf.  Computer  and  Comm.  Security,  pp. 
2-12  (2006) 

10.  Sandhu,  R.,  Samarati,  P:  Access  control:  Principles  and  practice  32(9),  40-48  (1994) 

1 1.  OrangcBook:  Trusted  Computer  System  Evaluation  Criteria.  DoD  National  Computer  Secu¬ 
rity  Center  (December  1985) 

12.  Graham,  G.,  Denning,  P:  Protection-principles  and  practice.  In:  Proceedings  of  the  AFIPS 
Spring  Joint  Computer  Conference,  vol.  40,  pp.  417^29  (1972) 

13.  Lampson,  B.:  Protection.  ACM  SIGOPS  Operating  Systems  Review  8(1),  18-24  (1974) 

14.  Graubart,  R.:  On  the  Need  for  a  Third  Form  of  Access  Control.  In:  Proceedings  of  the  12th 
National  Computer  Security  Conference,  pp.  296-304  (1989) 

15.  McCollum,  C..  Messing,  J.,  Notargiacomo.  L.:  Beyond  the  pale  of  MAC  and  DAC  -  defining 
new  forms  of  access  control.  In:  Proceedings  of  the  1990  IEEE  Symposium  on  Security  and 
Privacy,  pp.  19()-2(X)  ( 1990) 

16.  Abram.s,  M.,  Heaney,  J.,  King,  O.,  LaPadula,  L.,  La/ear,  M.,  Olson,  1.:  Generalized  Frame¬ 
work  for  Access  Control:  Towards  Prototyping  the  ORGCON  Policy.  In:  Nat.  Comp.  Sec. 
Coiif.  (1991) 

17.  Park,  J.,  Sandhu,  R.:  Originator  control  in  usage  control.  In:  Policies  for  Distrib.  Syst.  and 
Networks  (2(X)2) 

18.  Bell,  D.,  La  Padula,  L.:  Secure  computer  systems:  Unified  exposition  and  multies  interpreta¬ 
tion.  Technical  Report  ESD-TR-75-306  (1975) 

19.  Denning,  D.:  A  Lattice  Model  of  Secure  Information  Flow.  Communications  of  the 
ACM  19(5),  236-243  (1976) 

20.  Sandhu,  R.:  Lattice- Based  Access  Control  Models.  IEEE  Computer  26(  1 1 ),  9-19  (1993) 

21.  Ferraiolo,  D.,  Sandhu,  R.,  Gavrila,  S.,  Kuhn,  D.,  Chandramouli,  R.:  Proposed  NIST  standard 
for  role-based  access  control.  ACM  Trans,  on  Inf.  and  Syst.  Security  (T1SSEC)4(3),  224-274 
(2(X)1) 

22.  Sandhu,  R.,  Coyne,  E.,  Fcinstcin,  H.,  Youman,  C.:  Rolc-Bascd  Access  Control  Models.  IEEE 
Computer,  38-47  (1996) 

23.  Osborn,  S.,  Sandhu,  R.,  Munawer,  Q.:  Configuring  Role-Based  Access  Control  to  Enforce 
Mandatory  and  Discretionary  Access  Control  Policies.  ACM  Trans,  on  Inf.  and  Syst.  Secu¬ 
rity  3(2).  85-106  (2(X)0) 

24.  Park,  J.,  Sandhu,  R.:  The  UCON/i/jc-  usage  control  model.  ACM  Transactions  on  Informa¬ 
tion  and  System  Security  (TISSEC)  7(1),  128-174  (2004) 


GroLip-Ceniric  Mcxlels  for  Secure  iind  Agile  Informaiion  Sharing 


()9 


25.  XACML:  OASIS  extensible  Aeeess  Control  Markup  Language  (April  2(X)9), 
http: / /WWW. oasis- open. org/ commit tees /xacml/ 

26.  Levin,  R.,  Cohen,  E.,  Corwin,  W.,  Pollack,  R,  Wulf,  W.:  Policy/niechanisni  separation  in 
Hydra.  In:  5th  ACM  Symposium  on  Operating  Systems  Principles,  pp.  L'^2-140  ( 1975) 

27.  Rafaeli.  S.,  Hutchison,  D.:  A  survey  of  key  management  for  secure  group  communication. 
ACM  Computing  Surveys.  309-329  (September  2(K)3) 

2S.  Badger.  1...  Sterne.  D.R,  Sherman,  D.L.,  Walker,  K.M.,  Haghighat,  S.A.:  Practical  domain 
and  type  enforcement  for  unix.  In;  SP  1995:  Prrxeedings  of  the  1995  IEEE  Symposium  on 
Security  and  Privacy,  Washington,  DC,  USA,  p.  66.  IEEE  Computer  Society,  Los  Alamitos 
(1995) 

29.  Fn)Icy,  S  N.;  A  iiKxlel  for  secure  information  flow.  IEEE  Symposium  on  Security  and  Privaev. 
248-258  (19S9) 

30.  Phillij)s  Jr.,  C.E.,  Ting,  T.,  Demurjian,  S.A.:  Information  sharing  and  security  in  dynamic 
coalitions.  In:  S  ACM  AT  2002:  Prcxreedings  of  the  Seventh  ACM  Symposium  on  Access 
Control  Models  and  Technologies,  pp.  87-96.  ACM,  New  York  (2(X)2) 

3 1  Shands,  D.,  Jacobs,  J.,  Yee,  R.,  Sebes,  E.:  Secure  virtual  enclaves:  Supporting  coalition  use  of 
distributed  application  technologies.  ACM  Transactions  on  Information  and  System  Security 
(TISSEC)4(2),  103-133  (2001) 

32.  Freudenthal,  E.,  Pesin,  T,  Port,  L..  Keenan,  E.,  Karamcheii,  V.:  drbac:  Distributed  role-based 
access  control  for  dynamic  coalition  environments.  In:  ICDCS  2(K)2:  Pr(K'eedings  of  the 
22nd  International  Conference  on  Distributed  Computing  Systems  (ICDCS2(X)2),  Washing¬ 
ton,  DC.  USA,  pp.  41 1-420.  IEEE  Computer  Sexiety,  Los  Alamitos  (2(X)2) 

33.  Cohen,  E.,  Thomas.  R.K.,  Winsborough,  W.,  Shands,  D.:  M(xlels  for  coalition-based  access 
control  (CBAC).  In:  SACMAT  2(X)2:  Pnxeedings  of  the  Seventh  ACM  Symposium  on  Ac¬ 
cess  Control  Models  and  Technologies,  pp.  97-106.  ACM,  New  York  (2(X)2) 

34.  Krishnan,  R.,  Niu,  J.,  Sandhu,  R.,  Winsborough,  W.:  Stale-safe  security  properties  for  group- 
ba.scd  secure  information  sharing.  In:  Prexeedings  of  the  6th  ACM  Workshop  on  Formal 
Meth(xjs  in  Security  Engineering,  pp.  53-62.  ACM,  New  York  (2008) 


A  Predictive  Model  for  Cache-Based  Side  Channels  in 
Multicore  and  Multithreaded  Microprocessors 


Leonid  Domnitscr,  Nael  Abu-Ghazaleh,  and  Dmitry  Ponomarev 


Computer  Science  Department 
State  University  of  New  York  at  Binghamton 
Binghamton,  NY  13902 
{lenny , nael , dima}0cs . binghamton . edu 


Abstract.  A  side  channel  is  an  information  channel  that  unintentionally  com¬ 
municates  information  about  a  program  as  a  side  effect  of  the  implementation. 
Recent  studies  have  illustrated  the  use  of  shared  caches  as  side  channels  to  ex¬ 
tract  private  keys  from  computationally  secure  cryptographic  applications.  The 
cache  side  channel  is  imperfect  in  the  sense  that  the  attacker's  ability  to  detect 
cache  leakage  of  critical  data  is  limited  by  the  timing  i.ssucs.  Moreover,  some  de¬ 
tected  leakages  are  due  to  non-critical  data.  Thus,  it  is  difficult  to  assess  the  degree 
of  vulnerability  given  the  imperfect  nature  of  the  side-channel.  Similarly,  when 
solutions  that  further  degrade  the  quality  of  the  channel,  but  do  not  necessarily 
close  it  completely,  arc  employed,  it  is  difficult  lo  evaluate  their  effect ivcncss. 
To  address  this  need,  this  paper  proposes  a  mathematical  mcxiel  to  evaluate  the 
expected  leakage  in  a  cache  as  a  function  of  the  cache  parameters  and  the  victim 
application  behavior.  We  use  simulation  to  quantify  these  parameters  for  typical 
attack  .scenarios  to  validate  the  model.  We  demonstrate  that  the  proposed  mcxiel 
accurately  estimates  side  channel  leakage  feu  for  AES  and  Blowfish  encryption 
and  decryption  on  a  variety  of  cache  configurations. 

Keywords:  architecture,  security,  side  channel  attack,  caches. 


1  Introduction 

In  recent  years,  security  has  emerged  as  one  of  the  key  design  issues  in  computing 
and  communication  systems.  Security  solutions*  typically  rely  on  a  set  of  cryptographic 
algorithms,  such  as  symmetric  ciphers,  pubite-key  ciphers,  and  hash  functions.  The 
strength  of  modern  cryptography  makes  it  infeasible  for  the  attackers  to  uncover  the 
secret  keys  used  tn  these  algorithms  by  brute-force  trials,  differential  |91  or  linear  crypt¬ 
analysis  [141.  Instead,  almo.st  all  known  attacks  on  the  secret  keys  today  exploit  weak¬ 
nesses  in  the  physical  implementation  of  the  system  performing  the  encryption,  rather 
than  exploiting  the  mathematical  properties  of  the  cryptographic  algorithm  it.self. 

A  subtle  form  of  vulnerability  in  the  physical  implementation  of  otherwise  secure 
systems  is  a  possible  leakage  of  information  through  unintended  (or  side)  channels. 
The  leaked  information  is  called  side’Channel  infonnatum,  and  the  attacks  exploiting 
side-channel  information  leakage  are  called  side-ciumnei  attacks  [1,19,21].  Examples 
of  side-channels  include  observation  of  execution  time,  power  consumption,  heat,  elec¬ 
tromagnetic  radiation,  or  even  sound  emanating  from  a  device  121].  A  large  number 

I.  Kotenko  and  V.  Skormin  (Eds  ):  MMM-ACNS  2010,  LNCS  6258,  pp.  70-85,  2010. 

(g)  Springer- Verlag  Berlin  Heidelberg  2010 


A  Predictive  Model  tor  Cache-Based  Side  Channels 


71 


oi'  side-channel  attacks  have  been  successfully  demonstrated  against  a  range  of  soft¬ 
ware  and  hardware  security  mechanisms:  they  have  been  used  to  break  many  cryp¬ 
tosystems  including  block  ciphers  (such  as  DES,  AES,  Camellia,  IDEA,  and  Misty  1), 
stream  ciphers  (such  as  RC4,  RC6,  A5/1,  and  SOBER-t32),  public  key  ciphers  (such 
as  RSA-type  ciphers,  ElGamal-type  ciphers,  ECC,  and  XTR),  signature  schemes,  mes¬ 
sage  authentication  code  schemes,  cryptographic  protocols,  and  even  the  networking 
subsystems) 2 1 1.  Thus,  it  is  critical  to  build  systems  that  are  immune  to  side-channel 
attacks. 

Traditionally,  side-channel  attacks  were  used  to  break  simple  systems  such  as  smart 
cards.  However,  a  new  class  of  attacks  that  exploit  the  shared  caches  in  microprocessors  as 
side-channels  had  recently  emerged  as  a  serious  security  threat  [  26,27, 1 2,24, 1 8, 1 9, 1 ,3,51. 
The  nature  of  this  new  threat  is  rooted  in  the  ability  of  modern  microprocessors  to  exe¬ 
cute  several  programs  concurrently  on  the  same  chip  to  exploit  so-called  Thread-Level 
Parallelism  (TLP).  TLP  is  exploited  by  the  processor  designers  in  two  ways;  Simultane¬ 
ous  Multithreading  (SMT)  and  Chip  Multiprocessing  (CMP,  also  called  multicore).  In 
an  SMT  processor  [251,  several  independent  programs  are  simultaneously  executing  on 
the  same  processing  core,  and  most  of  the  core's  resources,  including  the  on-chip  caches, 
arc  shared  among  the  threads.  In  contrast,  CMPs  consist  of  completely  replicated  pro¬ 
cessing  cores  that  share  only  a  small  subset  of  resources  such  as  lower  level  caches,  main 
memory  and  I/O  pins. 

Consider  the  concurrent  execution  of  tw'o  programs  in  an  SMT  environment  a 
security-critical  encryption  kernel  (which  wc  refer  to  as  the  "victim")  and  a  process 
performing  an  attack  on  the  secret  key  used  by  the  victim  (which  wc  refer  to  as  the  "at¬ 
tacker").  By  sharing  the  data  eache  with  the  vietim,  the  attacker  can  detect  the  victim's 
cache  accesses  when  the  vietim  evicts  the  data  belonging  to  the  attacker.  The  detec¬ 
tion  is  possible  bceau.se  on  its  next  access  to  the  same  data,  the  attacker  will  miss  into 
the  cache,  and  cache  mis.ses  can  be  easily  distinguished  from  hits  by  using  timing  in- 
.striictions  readily  available  in  most  modern  innstruction  sets.  Several  studies  [  1 9, 1 ,3,24] 
showed  that  the  information  leaked  through  the  cache  side  channel  is  often  sufficient 
to  reconstruct  the  full  secret  key  in  a  short  period  of  time.  Similar  leakage  is  possible 
through  the  shared  lower-level  caches  in  multicore  system,  even  without  multithreading 
in  individual  cores. 

Although  cache-based  side -channel  attacks  have  been  demonstrated,  a  successful 
attack  involves  gleaning  of  the  eritical  information  from  an  imperfect  channel.  In  par¬ 
ticular,  some  memory  accesses  may  not  be  leaked  at  all  (we  explain  the  reasons  for  that 
in  detail  in  the  later  sections).  Moreover,  some  non-critical  accesses  may  be  detected; 
these  accesses  do  not  correlate  with  the  secret  key  and  therefore  add  noise  to  the  infor¬ 
mation  eollcetcd  from  the  side-channel.  Thus,  key  reconstruction  involves  a  significant 
effort,  depending  on  the  amount  and  quality  of  the  information  detected  from  the  side- 
ehannel.  If  the  amount  of  useful  information  collected  through  the  side  channel  is  small, 
key  recon. St  ruction  may  require  prohibitive  computational  overhead,  or  just  fail. 

Being  able  to  quantify  this  relationship  between  a  side  channel  leakage  proper¬ 
ties  and  the  computational  difficulty  of  compromise  is  critical.  It  allows  quantitative 
evidence  of  vulnerabilities.  Moreover,  it  may  be  impossible  or  extremely  expensive  to 


72 


L.  Domnitser,  N.  Abu-Ghazaleh,  and  D.  Ponomarev 


completely  shut  down  the  side-channel[26,27].  Thus,  low  complexity  solutions  that  re¬ 
duce  the  quality  of  the  channel  may  be  of  interest.  However,  it  is  difficult  to  accept  such 
defenses  based  on  informal  evidence;  being  able  to  formally  quantify  the  .security  of 
imperfect  channel  can  lead  to  effective  solutions  that  have  acceptable  complexity  while 
providing  sufficient  security. 

To  help  the  computer  designers  implement  the  right  level  of  protection  against  cache- 
based  attacks,  two  key  questions  have  to  be  addressed:  1)  How  much  information  is 
leaked  through  the  side  channel,  and  2)  what  is  the  effort  required  to  convert  this  infor¬ 
mation  into  a  full  .secret  encryption  key.  In  this  paper,  we  address  the  first  que.stion  and 
develop  a  simple  analytical  model  to  predict  the  amount  of  critical  information  leakage 
through  the  cache-based  side  channel.  The  model  takes  into  account  the  capabilities 
of  the  attacker,  the  parameters  of  the  victim  process  and  the  hardware  configuration  of 
the  cache.  Wc  validate  the  developed  model  through  cycle-accurate  simulations  of  two 
encryption  kernels  (AES  and  Blowfish)  and  demonstrate  that  the  side  channel  leakege 
predicted  by  the  analytical  model  matches  simulation-based  results.  Finally,  we  explain 
how  the  designers  can  use  the  proposed  model  to  reason  about  the  threat  level,  the  im¬ 
pact  of  different  attack  optimizations,  and  the  impact  of  possible  defense  approaches. 

The  remainder  of  the  paper  is  organized  as  follows.  We  review  the  AES  and  Blowfish 
algorithms  and  analyze  why  they  are  vulnerable  to  cache-based  attacks  in  Section  2. 
Sc.sction  3  describes  the  proposed  leakage  prediction  model.  In  Section  4,  we  present 
the  simulation  methodology  and  simulation  results  to  validate  the  model.  Section  5 
reviews  the  related  work  and  we  conclude  in  Section  6. 

2  Background 

In  this  section  we  describe  how  the  Advanced  Encryption  Standard  (AES)  and  Blowfish 
encryption  lend  themselves  to  exploitation  by  side  channel  attackers.  We  also  explain 
how  a  side  channel  attack  through  the  LI  data  cache  works.  An  attack  on  last  level 
cache  in  a  multicore  system  can  be  performed  in  a  similar  fashion. 

2.1  The  Advanced  Encryption  Standard  (AES) 

AES,  the  Advanced  Encryption  Standard,  is  a  widely  used  symmetric  block  cipher.  It 
encrypts  and  decrypts  1 28-bit  data  blocks  using  either  a  1 28-,  1 92-,  or  256-bit  key.  Each 
block  is  encrypted  in  10  rounds  of  mathematical  transformations.  To  achieve  high  per¬ 
formance,  AES  implementations  use  precomputed  lookup  tables  instead  of  computing 
the  entire  transformation  during  each  round.  The  indexes  to  these  tables  are  partially 
derived  from  the  secret  key,  thus  by  detecting  the  cache  sets  accessed  by  the  victim 
(through  the  side  channel  observations),  the  attacker  can  derive  some  information  about 
parts  of  the  secret  key.  By  using  multiple  measurements,  the  entire  key  can  be  success¬ 
fully  reconstructed.  The  version  of  the  AES  code  that  we  use  in  this  study  [6|  employs 
live  tables  ( 1  KB  each)  for  both  encryption  and  decryption.  The  first  four  tables  are  used 
in  the  fir.st  nine  rounds  of  encryption/decryption,  and  the  fifth  table  is  used  during  the 


A  Predictive  Model  for  Cache- Based  Side  Channels 


73 


last  round.  Separate  sets  ol' tables  are  used  Tor  encryption  and  decryption.  More  details 
on  the  AES  encryption  algorithm  and  specific  side  channel  attacks  on  AES  can  be  round 
in  124|. 

2.2  The  Blow  fish  Encryption  Algorithm 

Blowlish  |2|  is  a  keyed,  symmetric  block  cipher,  included  in  a  large  number  of  ci¬ 
pher  suites  and  encryption  products.  Blowfish  has  a  64-bit  block  si/.c  and  a  variable 
key  length  from  32  up  to  448  bits.  It  is  a  16-round  Feisiel  cipher  and  uses  large  key- 
dependent  S-boxes.  The  algorithm  keeps  two  subkey  arrays:  the  18-entry  P-array  and 
four  256-entry  S-boxes.  The  S-boxes  accept  8-bit  input  and  produce  32-bit  output.  One 
entry  of  the  P-array  is  used  every  round,  and  after  the  final  round,  each  half  of  the 
data  block  is  XORed  with  one  of  the  two  remaining  unused  P-entries.  The  F-function 
splits  the  32-bit  input  into  four  eight-bit  quarters,  and  uses  the  quarters  as  input  to  the 
S-boxes.  The  outputs  arc  added  modulo  2^“  and  XORed  to  produce  the  final  32-bit  out¬ 
put.  Again,  just  in  the  case  with  AES,  the  accesses  to  S-boxes  are  the  critical  accesses 
that  can  reveal  the  key-related  information  through  the  cache  side  channel. 

2.3  Cache-Based  Side  Channel 

A  dangerous  side  channel  exists  if  an  attacker  can  determine  which  table  rows,  which 
wc  call  critical  data,  are  accessed.  A  shared  memory  cache  can  carry  such  a  side  chan¬ 
nel.  The  time  to  access  data  present  in  the  cache  (a  cache  hit)  is  different  from  the  time 
to  access  data  not  in  the  cache  (a  cache  miss),  so  it  is  possible  to  tell  which  data  is  in 
the  cache  by  measuring  access  time. 

Caches  typically  have  a  set-associative  organization.  Each  memory  location  is  part 
of  a  multi-byte  data  block  called  a  cache  line,  and  several  lines  are  grouped  into  a  cache 
set.  When  data  is  loaded,  an  entire  line  is  brought  in  and  is  deterministically  mapped, 
by  address,  into  a  specific  set.  Multiple  lines  coexist  in  a  set  (the  number  of  lines  in  a 
set  is  the  associativity  of  the  cache),  but  when  new  lines  are  loaded,  an  old  line  must 
usually  be  evicted.  This  is  done  according  to  a  replacement  policy,  such  as  evicting  the 
least  recently  used  (LRU)  line. 

When  a  line  of  critical  data  is  loaded,  it  replaces  some  other  line.  If  the  cache  is 
shared  with  an  attacker,  the  evicted  line  may  belong  to  the  attacker.  By  later  accessing 
that  line,  and  timing  that  access,  the  attacker  learns  whether  the  victim  accessed  an 
address  mapping  to  the  same  set. 

The  Attack.  Given  such  a  side  channel,  an  attack  is  relatively  straightforward.  An  at¬ 
tacker  fills  the  entire  cache,  ensuring  that  any  memory  access  by  the  victim  will  evict  the 
attacker's  data.  After  a  cryptographic  operation,  the  attacker  returns  to  each  cache  set 
and  accesses  the  same  data  to  determine  if  it  misses,  indicating  that  the  victim  accessed 
the  set. 

The  attacker  needs  to  perform  the  following  steps: 

-  Gain  user-level  access  to  the  computer  performing  cryptography. 


74 


L.  Domnit.ser,  N.  Abu-Ghazaleh,  and  D.  Ponomarev 


-  It  must  also  be  aware  of  the  cache  configuration — number  of  sets,  associativity, 
line  size,  replacement  policy,  etc.  This  might  be  known  ahead  of  time,  or  it  might 
be  programatically  deduced. 

-  For  a  side  channel  to  be  useful,  the  attacker  must  be  somehow  synchronized  with 
the  victim.  For  simplicity,  we  assume  that  a  synchronous  attack  is  possible.  That 
is,  the  attacker  can  trigger  the  cryptographic  process,  say,  by  an  inter-process  com¬ 
munication  or  networking  mechanism.  If  an  attacker  can  trigger  single-data-block 
encryption  or  decryption,  it  need  not  worry  about  keeping  pace  with  the  victim  to 
ensure  that  the  cache  stays  full  of  attacker  data. 

-  The  attacker  cannot  “look  within"  a  line.  When  an  attacker  line  is  evicted,  all  it  can 
learn  is  that  the  victim  accessed  a  location  within  a  particular  line,  not  the  specific 
critical  data  index  within  the  line.  This  is  the  nature  of  the  side  channel — an  attacker 
will  have  to  do  some  brute  force  work. 

-  The  critical  data  accessed  can  be  difficult  to  determine,  not  just  because  of  line- 
size  granularity,  but  becau.se  other,  unrelated  victim  data  can  map  to  the  .same  set, 
creating  noise  in  the  side  channel. 


3  Model  for  Side  Channel  Leakage  Prediction 


The  goal  of  the  proposed  model  is  to  predict  the  probability  that  a  critical  cache  access 
(that  is,  the  access  to  the  critical  data  that  is  dependent  on  the  secret  key)  is  expo.sed  on  a 
cache-ba.sed  side  channel,  both  in  aggregate  and  per  each  cache  set.  More  precisely,  wc 
predict  the  conditional  probability  that  the  attacker  detects  a  memory  access  on  the  side 
channel,  given  that  there  was  access  to  critical  data.  This  probability  can  be  expressed 
as  P{D\C)y  where  D  is  the  event  of  detection,  and  C  is  the  event  of  a  critical  access. 
P(D|C)  is  defined  to  be  equal  to  Using  a  few  basic  algebraic  transformations 

of  this  definition,  we  obtain  a  simple  statement  of  Bayes'  theorem,  which  gives  the 
relationship  between  a  conditional  probability  and  its  inverse: 


P{D\C)  = 


P{C\D)P{D) 

W) 


(1) 


Table  1.  Summary  of  symbols 


A 

event  of  an  access 

a 

number  of  memory  accesses 

C 

event  of  critical  access 

D 

event  of  detected  access 

m 

number  of  lines  used  in  a  set 

N 

number  of  sets 

s 

cache  set  number 

Ta 

time  between  repeat  accesses  by  attacker 

T. 

time  between  repeat  accesses  by  victim 

w 

cache  associativity 

A  Predictive  Model  for  Cache-Based  Side  Channels 


75 


This  formula  is  the  basis  of  the  proposed  model.  We  predict  the  variables  FiC\D)  (the 
conditional  probability  that  there  was  a  critical  access,  given  that  the  attacker  detected 
an  access),  P{D),  and  P{C)  based  on  properties  of  the  attacker  and  victim  programs, 
and  the  system  on  which  they  execute.  In  the  next  section,  we  measure  the  variables 
through  simulation  and  evaluate  our  predictions. 

P{D)  and  P{C)  refer  to  the  probabilities  of  events  D  and  C  when  an  access  occurs . 
not  for  any  instruction.  That  is,  we  assume  an  initial  condition  A,  that  there  is  a  memory 
access.  So  P{D)  is  a  shortened  notation  for  P{i)\A).  Accordingly,  P{D)  and  /’(C)  are 
affected  by  the  real  timeline  of  CPU  cycles,  but  are  calculated  relative  to  the  timeline 
of  memory  access  instructions  only. 

The  events  A,  C.  and  D  can  refer  to  all  accesses,  or  can  be  restricted  accesses  to  a 
.sub.sct  of  data.  We  consider  both  aggregate  measures  and  those  restricted  to  individual 
cache  .sets.  In  the  latter  case.  A^.  C>,  and  Ds  refer  to  the  events  of  accesses  to  set  .v. 

The  rest  of  this  section  analyzes  the  components  variables  of  the  above  Bayesian 
formula,  then  combines  the  variable  predictions  into  a  single  formula  to  predict  side 
channel  expo.sure  of  critical  data. 

3.!  Estimating  Critical  Accesses  (/’(C)) 

We  define  the  probability  of  a  critical  access.  P(C)  as  the  average  rate  of  critical  ac¬ 
cesses.  This  probability  defines  how  many  accesses  during  the  execution  of  a  crypto¬ 
graphic  program  are  critical,  if  the  total  number  of  accesses  is  a.  This  value  is  an  invari¬ 
ant  property  of  the  implementation  of  a  cryptographic  algorithm,  and  can  be  estimated 
through  static  analysis  or  profiling. 

In  our  Bayesian  prediction  formula,  is  a  constant  for  a  given  program.  However, 
it  varies  among  cryptographic  algorithms  (and  implementations),  and  between  encryp¬ 
tion  and  decryption  routines. 

3.2  Access  Detection  (/’(/))) 

The  probability  that  the  attacker  detects  an  access,  P(P).  is  the  number  of  delected 
acce.s.ses  out  of  the  total  number  of  accesses. 


F{D)  =  ^ 
a 


(2) 


P{D)  is  100%  fora  perfect  attacker,  which  measures  the  victim  without  error  after  every 
instruction.  Realistically,  there  are  several  reasons  that  a  memory  access  may  be  hidden 
from  the  side  channel.  The  number  of  hidden  acce.sses  is  a^/j,  and  P(D)  can  be  restated 
in  terms  of  hidden  accesses: 


P(D)  ^  (  —  (3) 

a 

The  simplest  rea.son  that  a  memory  access  may  not  be  detected  is  a  cache  hit.  The 
attacker  only  sees  a  victim’s  access  if  it  misses  into  the  cache  and  evicts  attacker’s  data. 
The  attacker’s  data  is  not  automatically  placed  back  in  the  cache  when  the  victim  evicts 
it:  rather,  the  attacker  .scans  and  refills  the  particular  cache  location  at  some  point  after 


76 


L.  Doninitser,  N.  Abu-Ghazaleh,  and  D.  Ponomarev 


the  victim  accesses  it.  In  the  time  it  takes  the  attacker  to  traverse  the  cache,  the  victim 
may  have  performed  several  accesses  to  the  same  cache  location,  and  all  but  one  of 
those  will  remain  undetected  by  the  attacker. 

The  percentage  of  accesses  hidden  from  the  side  channel  by  the  cache  hits  depends 
on  the  victim’s  pattern  of  access  to  individual  critical  data  entries  and  the  .speed  with 
which  an  attacker  returns  to  each  set.  The.se  behaviors  can  vary  depending  on  victim 
and  attacker  implementations,  as  well  as  the  cache  configuration. 

For  a  fixed  cache  configuration,  the  victim’s  “rate  of  return”  to  a  particular  critical 
data  entry  depends  on  the  input  data  and  the  secret  key.  The  average  rale  is  a  property 
of  the  cryptographic  code.  Since  the  side  channel  operates  at  the  granularity  of  cache 
line.s,  the  cache  line  size  also  affects  the  hit  rale.  The  victim  does  not  necessarily  have 
to  access  the  exact  same  critical  data  to  hit  into  the  cache,  but  must  access  data  within 
a  resident  cache  line.  Larger  cache  lines,  besides  confounding  multiple  possible  critical 
data  addresses  when  an  access  is  detected,  increase  the  likelihood  of  cache  hits  which 
are  hidden  from  the  side  channel. 

The  attacker  can  also  be  accelerated  by  larger  cache  lines,  since  fewer  memory  ac¬ 
cesses  are  required  to  scan  the  entire  cache.  If  the  rale  of  return  for  both  the  victim  and 
attacker  scale  linearly  with  the  line  size,  then  the  effect  is  canceled  out.  However,  a  vic¬ 
tim  automatically  exploits  the  increased  hit  rate,  while  an  attacker  may  have  to  address 
synchronization  issues  that  result.  In  a  .synchronous  attack  that  is  synchronized  at  block 
encryption  boundaries,  increased  line  size  helps  only  the  victim.  Even  in  a  purely  asyn¬ 
chronous  attack,  where  “synchronization”  is  done  by  post-attack  analysis,  the  attacker 
must  still  emit  or  save  its  timing  results  after  each  cache  traversal,  which  will  happen 
more  often  with  shorter  traversal  times. 

Depending  on  the  attack  code,  the  cache  dimensions — number  of  sets  and 
associativity — can  affect  the  speed  of  the  attack.  At  the  co.st  of  higher  code  complexity, 
an  attacker  can  reduce  the  number  of  accesses  it  must  perform  by  accessing  each  set  just 
once^  If  this  sort  of  an  attack  is  used,  then  the  attacker  can  traverse  a  highly  a.s.sociative 
cache  with  fewer  sets  fa.ster  than  it  can  traverse  a  less  associative  cache  (with  more  sets) 
of  the  .same  size.  Similar  to  increasing  line  .size,  increasing  associativity  can  increase 
the  attack  speed  and  decrease  hidden  critical  accesses,  but  only  if  this  optimized  attack 
is  used,  and  if  synchronization  issues  are  handled. 

Memory  acces.ses  can  also  be  hidden  from  the  side  channel  by  design.  Hardware  or 
software  defense  mechanisms  can  reduce  P{D).  A  perfect  defense  mechanism  reduces 
P{D\C)  to  0.  Of  course,  if  no  critical  accesses  are  detected,  the  side  channel  does  not 
exist.  Specific  defen.se  mechanisms  are  outside  the  scope  of  this  paper,  but  they  can  be 
captured  in  this  portion  of  the  model. 

3.3  Estimating  Critical  Acce.sses  Ciiven  Detection  (P{C\D)) 

P{C\D)  is  the  fraction  of  detected  accesses  that  are  critical.  This  rcprc.senls  how  clean 
the  signal  on  the  side  channel  is — 100%  means  that  every  access  that  is  detected  is  use¬ 
ful  to  the  attacker.  A  real  side  channel,  however,  has  sources  of  noise.  Noise  is  expressed 

'  Assuming  the  cache  replacement  policy  is  Least  Recently  Used  (LRU),  the  attacker  can  ensure 
that  it  always  accesses  the  LRU  line  of  a  set.  If  that  is  a  hit,  the  other  lines  in  the  set  will  also 
hit. 


A  Predictive  Model  for  Cache- Based  Side  Channels 


77 


as  or  the  probability  that  there  is  no  critical  access,  given  a  detected  access. 

(With  our  a.ssiimptions,  C  also  means  that  there  was  a  non-critical  access.)  Since  we 
consider  the  cause  of  noise,  not  of  signal,  we  represent  P(C|D)  as  1  r(-'C|D). 

Even  with  no  complicating  factors,  some  noise  is  inherent  in  the  cryptographic  im¬ 
plementation.  A  victim’s  access  to  non-critical  data  that  maps  to  the  same  cache  set  as 
critical  data  cannot  be  distinguished  from  a  critical  access.  The  attacker,  in  its  analysis 
stage,  can  try  to  lilter  out  a  pattern  of  noise.  An  attack  must  have  tolerance  for  noise, 
so  that  some  brute  force  trials  can  be  performed  while  still  iilili/ing  data  from  the  side 
channel  as  a  hint. 

Noise  can  also  come  from  the  attacker’s  side,  in  the  form  of  instruction  cache  misses, 
from  misses  in  the  translation  lookaside  buffer,  from  the  operating  sy.siem,  or  from 
anything  el.se  that  may  confound  timing  results. 


3.4  Model  Formalization 


We  now  unify  the  ideas  presented  above  into  a  formal  predictive  model.  We  return  to 
our  Bayesian  formula,  predicting  side  channel  exposure  in  a  single  set: 


P(Ds\Q) 


F{QlI\)P([h) 

P{Cs) 


(4) 


The  probability  of  a  critical  access  is  simply  the  ratio  of  critical  accesses  to  total 
accesses: 


P(Cv)  =  —  (5) 

«v 

To  model  the  probability  of  a  detected  access,  we  tirst  consider  the  average  likelihood 
that  an  access  will  be  hidden  by  hitting  into  the  cache.  Repeated  victim's  access  to  a 
cache  location  before  the  attacker  scans  and  refills  that  location  will  be  hidden  from 
the  side  channel.  Consequently,  in  the  time  it  takes  an  attacker  to  return  to  a  location, 
Ta.  all  acce.s.ses  after  the  first  one  will  be  hidden.  The  time  between  repeated  accc.s.scs 
to  that  location  is  /;..  The  probability  of  an  access  to  a  single  location  being  detected, 
then,  is  assuming  there  is  an  intervening  victim  access  to  the  location  (7,.  <  /;,).  Tj., 

on  average  across  accesses  during  an  attacker  traversal,  is  expressed  as  — .  So  we 
obtain: 


^  ^ -  (6) 

^location 

Since  we  assume  that  a  cache  access  has  taken  place,  a  >  0,  this  value  is  defined. 

Next,  we  expand  our  model  to  a  cache  set,  rather  than  a  single  location.  There  is 
some  numherof  lines  of  data  mapping  to  set  s,  which  we  call  ///y.  The  cache  is  vr-vvay 
associative.  If //ly  <  u*,  then  all  the  data  hts  in  the  set  without  eviction,  and  accesses  to 
all  these  data  can  be  delected.  In  this  case  P(Ds)  =  When  ///.v  >  \\\  only  of  the 
data  lines  u.scd  arc  resident  in  the  cache,  and  can  possibly  leak  information.  This  is  a 
‘Tit  factor"  that  limits  the  probability  of  detection  in  a  set.  Generalizing,  wc  obtain: 


78 


L.  Dornnilser,  N.  Abu-Ghazaleh,  and  D.  Ponomarev 


pm 


ffis  -  min 


Ois 


0) 


nfs  •  min  I  j  can  be  thought  of  as  the  '‘pressure"  on  the  cache  set. 

We  now  model  the  probability  of  critical  access,  given  detected  access,  which  can  be 
expressed  as  1  —  noise.  The  simple  noise  we  consider  is  caused  by  non-critical  accesses. 
This  model  considers  the  number  of  critical  accesses  to  a  set  which  along  with 
non-critical  accesses  a  o*  rnake  up  all  accesses  a.v  Wc  start  with  the  definition  of 
conditional  probability: 


P{Cs\D,) 


PjCsODs) 

PiOs) 


(8) 


P{Ds)  is  already  modeled.  The  model  for  P{CsC\Ds)  is  very  similar — we  just  look  at 
the  subset  of  detected  accesses  that  are  critical.  tnc.s  <  ffh  is  the  number  of  critical  data 
lines  mapping  to  set  s.  We  restrict  P{D)  to  just  these  lines: 


Thus,  the  equation  for  1 


P{CsnD,) 


min 


«v 


noise  is  the  following: 


(9) 


p{Csm 


V  7 


nts 


We  can  now  unify  the  model  into  a  single  formula: 


(10) 


P{D,\Cs) 


Our  single-set  model  simplifies  to: 


P{l\\Cs) 


OCc... 


(11) 


(12) 


Finally,  we  consider  the  entire  cache  rather  than  a  single  set.  We  ignore  sets  without  crit¬ 
ical  accesses,  since  the  condition  of  the  probability  is  that  there  were  critical  accesses, 
and  take  the  average: 


I 


N 

s  0 


0  :  ac..s  =  0 

— "  ^  ^  ^ — -  :  otherwise 


I 


N 


1 0  :  a<’.,  =  0 

I  I  :  othenvise 


P{D\C)  = 


(13) 


A  Prediclive  Model  for  Cache-Iiased  Side  Channels 


79 


This  model  predicts  the  effectiveness  of  a  side  channel  using  only  a  simple  profile  of 
the  victim  (distribution  of  critical  and  overall  cache  accesses  within  a  period  of  attack), 
and  cache  associativity. 


4  Model  Validation  Methodology 

To  validate  the  model  proposed  in  the  previous  section,  we  perl'ormed  cyclc-accurate 
simulations  of  AES  and  Blowfish  encryption  algorithms  running  alongside  the  ideal¬ 
ized  attacker  on  an  SMT  processor  We  used  M-Sim  3.0  1 17] — a  SMT  and  CMP  simu¬ 
lator  that  was  derived  from  Simplescalar  3.0d  [7].  The  crypto  programs  were  compiled 
on  an  Alpha  AXP  machine  running  Tru64  UNIX,  using  the  native  C  compiler  with 
-04  -fast  -non_shared  optimization  flags.  We  simulated  an  8-way  processor  with 
128-entry  Reorder  Buffer  and  a  32KB  LI  data  cache  under  several  configurations. 

Wc  simulated  both  an  8-way  set-associativc  cache,  and  a  direct-mapped  (1-way) 
cache.  The  8-way  cache  is  a  typical  configuration,  while  the  direct-mapped  cache  was 
used  to  exercise  the  fit  factor  of  the  model.  Both  caches  used  32  byte  lines,  so  the  caches 
had  128  and  1024  sets,  for  8- way  and  direct-mapped,  respectively. 

We  simulated  the  execution  of  an  idealized  attacker  as  a  separate  thread  alongside 
an  encryption  or  decryption  process.  It  is  ‘Idealized"  because  it  is  implemented  with 
simulator  support  to  synchronize  perfectly  with  cryptographic  block  operations.  The 
only  noise,  therefore,  occurred  during  the  core  cryptographic  operation,  and  the  attacker 
did  not  operate  undertime  constraints.  This  is  the  best  an  attacker  can  do,  and  a  is  worst- 
case  bound  on  security. 

Wc  ran  simulations  of  1,000  truly  random  |20]  input  data  blocks.  The  experiments 
included  all  permutations  of  the  following  operations: 

-  Algorithm:  AES  or  Blowfish 

-  Operation:  encryption  or  decryption 

-  Cache  configuration:  8- way  or  direct-mapped 

Our  simulations  outputted  memory  access  traces;  a  script  used  these  data  to  generate 
predictions.  Wc  also  generated  attacker  traces  which  labeled  memory  accesses  as  de¬ 
tected  or  not.  For  each  block  operation  (that  is,  each  in.stancc  of  the  attack),  the  model 
matches  the  measured  detection  rates.  This  makes  sense,  because  the  same  data  block 
is  used  both  to  profile  the  victim  lor  the  model  and  to  measure  the  side  channel.  We 
also  show  how  the  average  side  channel  that  wc  measure  as  a  profile  is  a  good  predictor 
for  individual  blocks.  Our  experiments  show  low  variation  in  side  channel  leakage  from 
block  to  block. 


5  Results  and  Evaluation 

Figure  1  shows  the  aggregate  detection  rate  averaged  across  1,000  cryptographic  block 
operations.  This  is  the  measured  rate  of  detection,  which  matches  the  rate  predicted  by 


80 


L.  Domnitser,  N.  Abu-Glia/aleh,  and  D.  Ponomarev 


our  model  for  each  of  the  same  blocks.  The  average  value  of  P{D\C)  is  76%  for  AES  and 
87%  for  Blowfish  on  the  8- way  cache.  The  direct-mapped  cache  exhibits  similar  results, 
77%  and  88%  for  AES  and  Blowfish,  respectively.  Figure  2  shows  same  .side  channel 
leakage  broken  down  by  set.  The  8-way  cache  has  a  fairly  consistent  distribution  of 
accesses  among  its  128  sets,  since  the  critical  data  tables  arc  spread  evenly  across  all 
sets.  The  direct-mapped  cache  only  shows  leakage  in  256  sets  for  AES  and  268  sets  for 
Blowfish,  out  of  1024  available  sets.  This  is  because  only  those  sets  have  critical  data 
(since  direct  mapped  cache  has  a  larger  number  of  sets). 

Figure  3  shows,  for  each  experiment,  how  the  detection  rate  for  each  block  compares 
to  the  average  rate  across  all  the  blocks.  These  graphs  show  bell  curves  in  a  small 
range  around  the  average,  with  a  standard  deviation  of  2%  in  all  ca.ses.  The  maximum 
deviation  is  7%  for  AES  and  8%  for  Blowfish.  Therefore,  our  simple  predictive  model 
which  is  based  on  the  average  detection  rafe  across  all  bkx:k.s  predicts  the  detection 
within  individual  blocks  with  an  error  of  only  8%  in  the  worst  case. 


Fig.  1.  Aggregate  detection  rate.  This  graph  shows  the  detection  rate  (P{D\C))  as  an  average 
across  1,000-data  block  cryptographic  operations.  Predicted  and  measured  detection  rates*  are 
equal  for  each  bUx'k  operation. 


Therefore,  our  experiments  confirm  that  the  results  obtained  by  the  propo.scd  model 
closely  match  the  simulated  results.  Furthermore,  they  demonstrate  that  different  input 
data  causes  only  a  low  level  of  variation  in  side  channel  leakage,  so  simple  metrics, 
such  as  estimated  average  characteristics  across  all  blocks  can  be  used  for  accurately 
predicting  the  amount  of  leaked  data  on  a  block-by-block  basis. 


PtDiC)  P(D|C) 


A  Predictive  Model  for  Cnche-Based  Side  Channels 


81 


Cache  set  Cache  set 


(a)  AES  encryption,  8-way  cache  (b)  AES  encryption,  direct-mapped  cache 


Cache  set  Cache  set 


(c)  Blowtish  encryption,  8-way  cache  (d)  Blowhsh  encryption,  direct-mapped 

cache 


2.  Detection  by  set.  These  graphs  show  detection  rale  in  each  set  (/’(OJf'J)  as  averages 
across  I  ,()(K)-daia  block  encryptions  (decryption  graphs  are  omitted  because  they  are  nearly  iden¬ 
tical).  Predicted  and  measured  detection  rates  are  equal  for  each  block  operation. 


Sudia  in  Stocks  m  rang* 


82 


L.  Domnitser,  N.  Abu-Ghazaleh,  and  D.  Ponomarev 


(a)  AES  enc.,  8-way 


(b)  AES  dec.,  8-way  (c)  AES  cnc.,  direct-mapped 


(d)  AES  dec.,  direct-mapped  (e)  Blowbsh  enc.,  8-way  (f)  Blowlish  dec.,  8-way 


(g)  Blowfish  enc.,  direct-  (h)  Blowfish  dec.,  direct- 
mapped  mapped 


Fig.  3.  Each  graph  shows  the  number  of  block  operations  with  side  channel  leakage  within  a  given 
range 


A  Predictive  Model  for  Cache-Based  Side  Channels 


83 


6  Related  Work 

The  security  of  cryptographic  implementations  with  respect  to  side-channel  attacks  has 
not  been  widely  investigated.  Despite  the  presence  of  a  number  of  a  solutions  to  side- 
channel  problems  that  do  not  perfectly  close  the  channel  [  10,151,  the  security  propeilies 
of  side-channels  and  the  effectiveness  of  such  imperfect  solutions  were  open  questions. 
Micali  and  Rcyzin  were  the  first  to  present  a  theoretical  analysis  of  general  side-channel 
attacks  1 16).  Using  very  general  assumptions,  this  model  defines  the  notion  of  an  ab¬ 
stract  computer  and  a  leakage  function  that  together  can  capture  almost  all  instances  of 
side  channels.  However,  the  overly  general  assumptions  make  it  difficult  to  apply  this 
analysis  to  particular  algorithms  (e.g.,  DES  or  AES)  or  for  specific  side-channels. 

Standaert  ct  al.  started  from  Micali  and  Reyzin  model  and  specialized  it  for  more 
practical  situations  |23].  Specifically,  they  restricted  some  of  the  assumptions  to  a  range 
that  corresponds  to  relevant  adversary  and  leakage  models.  Moreover,  they  show  how 
to  map  the  abstract  computational  model  to  physical  instances  such  as  circuits  and  op¬ 
erations.  Although  this  model  brings  the  original  model  by  Micali  and  Reyzin  closer 
to  practice,  it  models  the  leakage  and  adversary  abstractly  using  information  theoretic 
principles.  More  recently,  Standaert  ef  al.  created  a  uniform  model  of  side-channel  at¬ 
tacks  to  address  the  problem  of  how  compare  different  algorithm  implementations  and 
defense  mechanisms  in  a  way  that  enables  comparing  them  [22]. 

Kopf  and  Basin  developed  an  information  theoretic  model  of  side-channels  |13|. 
Like  our  model,  they  re.striet  their  analysis  to  the  amount  of  information  leaked  from  the 
channel.  This  model  considers  a  generic  side  channel,  and  does  not  capture  the  detailed 
operation  of  cache  ba.sed  side-channel  attacks  that  we  characterize  in  this  paper. 

Both  software  and  hardware  solutions  to  address  cache-based  side  channel  attacks 
have  been  proposed.  On  the  software  side,  the  main  idea  is  to  rewrite  the  code  of  the  en¬ 
cryption  algorithms  such  that  known  side  channel  attacks  are  not  successful.  Examples 
of  such  techniques  include  avoiding  the  use  of  table  lookups  in  AES  implementations, 
preloading  the  AES  tables  into  the  cache  before  the  algorithm  starts,  or  changing  the 
table  access  patterns  [18,24,4,21].  The  limitation  of  the  software  solutions  is  that  that 
they  are  tied  up  to  a  specific  algorilhm/attack,  do  not  provide  protection  in  all  cases,  are 
subject  to  errors  on  the  part  of  programmers,  and  often  result  in  significant  performance 
degradation  [26|.  Another  recent  approach  to  address  side  channel  attack  is  by  dedicat¬ 
ing  special  functional  units  and  ISA  instructions  to  support  a  particular  cryptographic 
algorithm.  An  example  of  this  approach  is  the  Intel  AES  instruction  1 1 1  j.  This,  how¬ 
ever,  requires  non-trivial  hardware  and  software  changes  and  only  protects  again.st  the 
attacks  on  the  crypto  algorithms  that  are  supported — support  has  to  be  re-implemented 
to  defend  new  algorithms. 

In  respon.se  to  the  limitations  of  software  solutions,  several  hardware  schemes  have 
been  recently  introduced.  The  advantage  of  hardware  solutions  is  that  they  prevent 
the  attacks  in  principle,  by  eliminating  the  side  channel.  The  main  challenge  in  these 
schemes  is  to  keep  the  impact  on  the  design  complexity,  eaehc  access  time,  and  perfor¬ 
mance  overhead  to  the  minimum.  Following  this  line  of  research,  a  partitioned  cache 
was  proposed  |8],  along  with  ISA  changes  to  make  the  cache  a  visible  part  of  the  ar¬ 
chitecture.  Specifically,  new  instructions  are  added  to  define  a  panition  and  specify 
its  .size  and  parameters.  This  scheme  requires  changes  to  both  the  ISA  and  the  cache 


84 


L.  Domnitser,  N.  Abu-Ghazaleh,  and  D.  Ponomarev 


hardware  design  and  can  lead  to  significant  performance  degradation.  Several  alterna¬ 
tive  cache  designs  for  thwarting  cache-based  attacks  have  been  proposed  by  Wang  and 
Lee  [26,27].  Partition-Locked  Cache  (PL  cache)  design  [26]  uses  cache  line  locking  to 
prevent  evictions  of  cache  lines  containing  critical  data,  thus  closing  the  side  channel. 
The  main  drawback  is  the  performance  hit  due  to  cache  underutilization,  as  the  locked 
lines  cannot  be  used  by  other  processes,  even  after  they  are  no  longer  needed  by  the  pro¬ 
cess  that  owns  them.  In  addition,  the  PLcache  requires  system  support  to  control  which 
cache  lines  should  be  locked.  This  support  is  in  the  form  of  new  ISA  instructions,  or  OS 
modifications  for  marking  the  regions  of  memory  that  contain  the  AES  or  RSA  tables 
as  lockable.  In  either  case,  ISA/compiler/OS  modifications  are  also  needed  in  addition 
to  the  hardware  changes. 

7  Conclusion 

Cache-based  software  side-channel  attacks  repre.sent  a  new  and  serious  security  threat 
that  exploits  parallel  processing  capabilities  of  modern  processor  chips.  Defense  mech¬ 
anisms  that  provide  a  complete  closing  of  the  side  channel  are  expensive  and  often  incur 
significant  performance  overhead.  A  possible  alternative  is  to  consider  solutions  that  do 
not  result  in  a  complete  elimination  of  the  side  channel,  but  rather  attempt  to  reduce 
its  strength  to  the  levels  that  make  the  remaining  post-attack  effort  for  the  secret  key 
reconstruction  infeasible. 

To  assist  system  designers  with  such  solutions,  we  developed  an  analytical  model  for 
estimating  the  percentage  of  accesses  to  the  critical  data  that  would  be  leaked  through 
the  cache  side  channel  as  a  function  of  the  victim’s  characteristics  and  the  configu¬ 
ration  of  the  cache  hardware.  We  validated  the  proposed  model  using  cycle-accurate 
simulation  of  side-channel  attack  on  two  popular  encryption  kernels  (AES  and  Blow- 
fish)  and  also  described  how  the  model  can  be  used  in  exploring  the  design  space  of 
low-complexity  solutions  for  cache-based  attacks. 

Acknowledgements.  This  material  is  based  on  research  sponsored  by  Air  Force  Re¬ 
search  Laboratory  under  agreement  number  FA8750-09-1-0137.  The  U.S.  Government 
is  authorized  to  reproduce  and  distribute  reprints  for  Governmental  purposes  notwith¬ 
standing  any  copyright  notation  thereon.  The  views  and  conclusions  contained  herein 
are  those  of  the  authors  and  should  not  be  interpreted  as  necessarily  representing  the 
official  policies  and  endorsements,  either  expressed  or  implied,  of  Air  Forse  Research 
Laboratory  or  the  U.S.  Government. 


References 

1.  Bernstein,  D.:  Cache-timing  aitacks  on  aes  (2005), 

http : //cr . yp . to/antiforgery/cachetiming-20050414 . pdf 

2.  The  blowfish  encryption  algorithm  (2009),  http://www.schneier.com/blowfish.html 

3.  Boiineau,  J.,  Mironov,  I.:  Cache-collision  liming  attacks  against  aes.  In:  Goubin,  L.,  Matsui, 
M.  (eds.)  CHES  2006.  LNCS,  vol.  4249,  pp.  201-215.  Springer,  Heidelberg  (2006) 


A  Predictive  Mcxlcl  for  Cache-Based  Side  Channels 


85 


4.  Briekell,  E.,  Graunke,  G.,  Neve,  M.,  Seifert,  J.:  Software  mitigation  to  hedge  aes  against 
cachc-bascd  software  side  channel  vulnerabilities.  In:  1 ACR  ePrini  Archive,  Report  2(K)6/()52 
(2006) 

5.  Canteaut,  A.,  Lauradoux,  C.,  Se/nee,  A.:  Understanding  cache  attacks.  INRIA  Technical 
Report  (2006). 

ftp: //ftp. inria. fr/INRIA/publication/publi-pdf /RR/RR-5881 . pdf 

6.  Daemen,  J.,  Rijnien,  V.:  The  design  of  rijndael:  Aes  -  the  advanced  encryption  standard. 
Springer,  Heidelberg  (2002) 

7.  Burger,  D.,  Austin,  T.:  The  siniplescalar  toolset:  Version  2.0  (June  1997) 

8.  Page,  D.:  Partitioned  cache  architecture  as  a  side-channel  defense  mechanism.  In:  Cryptog¬ 
raphy  ePrint  Archive  (2(X)5) 

9.  Bihaiii,  E.,  Shamir,  A.:  Packaging  of  multi-core  microprocessors:  Tradeoffs  and  potential 
solutions.  Journal  of  Cryptology  4(  I ),  3-72  (1991) 

10.  Goubin,  L.,  Patarin,  J.:  DES  and  differential  power  analysis.  In:  Proc.  of  CUES  ( 1999) 

1 1 .  Gueron,  S.:  Advanced  encryption  standard  (aes)  instruction  set  (2(K)8) 

12.  Kong,  J.,  Aclicmcz,  O.,  Seifert,  J.,  Zhou,  H.:  Hardware-software  integrated  approaches  to 
defend  against  software  cache-based  side  channel  attacks.  In:  International  Symposium  on 
High  Performance  Computer  Architecture  (HPCA)  (February  2(K)9) 

13.  Kopf,  B.,  Ba.sin,  D.:  An  inforniation-lheorelic  mcxiel  for  adaptive  side-channel  attacks.  In: 
ACM  Conference  on  Computer  and  Communication  Security  (CCS),  pp.  286-296  (2(K)7) 

14.  Matsui,  M  :  Linear  cryptanalysis  method  for  des  cipher.  In:  Helleseth.  T.  (ed.)  EUROCRYPT 
1993.  LNCS,  vol.  765,  pp.  386-397.  Springer,  Heidelberg  ( 1994) 

15.  May,  D..  Muller,  H.,  Smart,  N.:  Randomized  register  renaming  to  foil  DPA.  In:  Proc.  of 
CHES(2(K)I) 

16.  Micali,  S.,  Rcy/in,  L.:  Physically  ohservahle  cryptography.  In:  Proc.  of  Theory  of  Cryptog¬ 
raphy  Conference  (2(X)4) 

17.  M-sim  version  3.0,  code  and  documentation  (2005), 
http :  //\rw\i .  cs ,  binghamton .  eduZ-msim 

18.  Osvik,  D.,  Shamir,  A.,  Tronier,  E.:  Cache  attacks  and  eountcmieasures:  the  case  of  aes.  In. 
Cryptology  ePrint  Archive,  Report  2005/271  (2005) 

19.  Pereival,  C.:  Cache  missing  for  fun  and  profit  (2005), 
http : //www . daemonology . net/papers/htt . pdf 

20.  Random.org  (2009),  http :  //www .  random .  org/ 

2 1 .  Side  channel  attacks  database  (2(X)9),  http :  //www .  sidechannelattacks .  com 

22.  Standaert,  F.X.,  Malkin,  T.,  Yung,  M.:  A  unified  framework  for  the  analysis  of  side-channel 
key  recovery  attacks.  In:  Advances  in  Cryptography,  Euroerypt  (2009) 

23.  Standaert,  F.X.,  Pccters.  E.,  Arehambeau,  C.,  Quisquater.  J.J.:  Towards  security  limits  in 
side-channel  attacks.  In:  Proc.  CHES  Workshop  (2(X)6) 

24.  Tromcr,  E.,  Shamir,  A.,  Osvik,  D.:  Efficient  cache  attacks  on  aes,  and  countermeasures.  Jour¬ 
nal  of  Cryptology  (2009) 

25.  Tullsen,  D.,  Eggers,  S.,  Levy,  H.:  Simultaneous  multithreading:  Maximizing  on-chip  paral¬ 
lelism.  In:  International  Symposium  on  Computer  Architecture  ( 1995) 

26.  Wang,  Z.,  Lee,  R.:  New  cache  designs  for  thwarting  software  cache-based  side  channel  at¬ 
tacks.  In:  PrcK’.  International  Symposium  on  Computer  Architecture  (ISCAJfJune  2(X)7) 

27.  Wang,  Z.,  Lee,  R.:  A  novel  cache  architecture  with  enhanced  performance  and  security.  In: 
Proc.  International  Sympo.sium  on  Mieroarehitecture  (MICRO)  (December  2(X)8) 


Attack  and  Defense  Modeling  with  BDMP 


Ivudovic  Pictrc-Cambaccdfci^’^  and  Marc  Bonisson'’'^ 


^  Electricite  de  Franco  Rc^D,  1  avenue  dii  General  de  Gaulle,  92141  Claiiiart,  France 
^  Institiit  Telecom,  Telecom  ParisTech,  46  rue  Barrault,  75013  F^aris,  France 
^  Ecole  Centrale  Paris,  Grande  Voie  des  Vignes.  92295  Chatenay-Malahry,  France 
{ludovic . pietre-cambacedes , marc . bouissou}Qedf . f r 


Abstract.  The  tR)MP  (Boolean  logic  Driven  Markov  Processes)  mod¬ 
eling  formalism  has  recently  been  adapted  from  reliability  engineering 
to  security  modeling.  It  coii.stitiites  an  attractive  trade-off  in  terms  of 
readability,  modeling  power,  scalability  and  quantification  capabilities. 
This  paper  develops  and  completes  the  theoretical  foundations  of  such 
an  adaptation  and  presents  new  developments  on  defensive  aspects.  In 
particular,  detection  and  reaction  mofleling  are  fully  integrated  in  an 
augmented  theoretical  framework.  Different  use-cases  and  quantification 
examples  illustrate  the  relevance  of  the  overall  approach. 

Keywords:  Security  modeling,  attack  trees,  BDMP,  risk  analysis. 


1  Introduction 

Graphical  atta(‘k  foriiialisiiis  are  coiniiioiily  used  in  security  analysLs  to  share 
standpoints  between  analysts,  enhance  their  coverage  in  terms  of  scenarios,  and 
help  ordering  them  and  the  related  system  vulnerabilities  by  various  quantifica¬ 
tions.  The  authors  have  recently  introduced  a  new'  approach  based  on  BDMP 
(Boolean  logic  Driven  Markov  Proc  esses)  [3],  adapting  this  formalism  used  in  re¬ 
liability  engineering  to  attack  inodcliiig  [IG].  BDMP  have  proven  to  be  an  original 
and  advantageous  trade-off  between  readability,  modeling  power,  scalability  and 
ejnantifi cation  capabilities  in  their  original  domain  [2].  The  same  advantages  are 
expc'cted  from  their  adaptation  to  the  seemrity  area.  In  this  paper,  vve  consol¬ 
idate  the  theoretical  foundations  of  such  an  adaptation,  and  extend  it  to  take, 
into  account  detcxdioii  and  reaction  aspects  in  an  integrated  approach.  Section  2 
prc*.s<nits  the  state'  of  the  art  in  graphical  attack  modeling.  Section  3  dcvcloi)s,  on 
a  tlmoretical  and  ])rHctical  point  of  view,  how  BDMP  (‘an  be  changc'd  to  model 
attack  scenarios.  Section  4  focuses  on  defensive  aspects,  presenting  the  extc'iision 
(k'veloped  for  detection  and  reaction  modeling.  Section  5  prc'scnts  on-going  and 
future  work  related  to  this  new  approach. 

2  State  of  the  Art 

The  clear  interest  of  the  computcT  security  coniiminity  for  graphical  attack  mod¬ 
eling  techniques  has  led  to  numerous  proposals;  they  can  bc'  groupcxl  into  tw'o 
catc'goric's,  each  being  dominated  by  a  specific  model: 


I.  Kotenko  and  V.  Skorinin  (Ed.s.):  MMM-ACN.S  2010,  LNCS  025S.  pp.  SO -101,  2010. 
0  Springer-Vorlag  Berlin  Heidelberg  2010 


Attack  and  Defense  Modeling  with  BDMP 


87 


Static  jnodcLs:  also  call('(l  stnietural  inodcds.  th('y  jn'ovido  a  glottal  view  of  tli(‘ 
attack,  witlio\it  being  able  to  ca])tiire  its  (woliition  in  time.  The  dominant 
type  of  model  is  the  Boolean-logical  tn^e  ba,s(‘d  approach.  Generally  known 
a,s  Attack  Tr('e.s  [21,10].  they  are  present  in  the  literature  under  different 
variations:  threat  trees  [ij.  vnliierability  trees  [14]  etc. 

—  Dfinauiir  models:  also  calk'd  b(4iavioral  niod(*ls,  they  take  into  account  d('- 
pc'iidance  aspects  such  as  sequences  or  reactions.  Richer  than  static  models, 
they  can  be  built  by  hand  only  in  very  simple  cases,  ddiere  are  two  approaclu's 
in  the  other  cases: 

•  The  first  one  is  based  on  detailed  state-grai)bs  cai)tni  ing  the  possibk'  evo¬ 
lutions  of  an  attack,  antomatically  gcaieratt'd  from  formal  specifications. 
Such  approaches,  initiated  by  SlieyiKM*  et  al.  with  Attack  Graphs  [22]  and 
f()llow('d  by  other  relevant  approaches  (e.g.  [8,7]),  are  not  graphical  mod¬ 
els  p(M'  se  as  they  ar(‘  not  dirc'ctly  (k'sigiK'd  to  Ix'  graphically  maiiipiilat(‘d 
by  analysts. 

•  Th('  second  reli('s  on  compact  and  high-lev('l  graphical  formalisms.  d(*- 
sigiuM  to  efficiently  rei)resent  dynamic  a.s])('cts  lik('  s(Tpiences  or  reac¬ 
tions.  and  to  be  directly  nsabk'  by  human  analysts.  In  this  category 
P('tri  net-bas(M  ai)i)roaches  are  the  most  widc'ly  known.  Atta('k  Nets. 
oiu‘  of  the  first  proposals  in  tlu'  domain  [II],  or  PE  Nets,  a  more  recent 
approach  with  a  complete  software'  support  [18].  are  two  good  ix'pn'sen- 
tatives. 

Each  approach  allows  for  a  different  balance'  in  te'rins  e)f  nK)eleling  pe)we'r,  re'ael- 
ability,  se’alability  and  epiantification  capabili  tie's.  St  a  tie'  ine)de'ls  are  usually  ve'ry 
readable'  but  are  lacking  in  the'ir  nu)de'ling  pe)we'r  anel  epiantification  capabilitu's. 
Dynamics  moelels  are  iiieire'  intere\sting  feir  the'se'  asix'e  ts.  but  often  have  their 
cjwii  limits  in  terms  of  clarity  and  scalability.  Neite  that  the'se  statements  are' 
alse)  relevant  in  the  eieiniain  of  reliability  anel  .safety  moeleling  [12,17],  wlu're'  sim¬ 
ilar  appreiaclu's  have  be'cn  histeirically  first  used,  moeleling  system  ce)mpe)ne'nt 
failure's  inste'ael  of  attacke'r  actieins  anel  se'cnrity  e've'iits. 

3  The  BDMP  Formalism  Applied  to  Attack  Modeling 

3.1  Fouiielatioiis 

Originally,  BDMP  are  a  formalism  whie-h  e‘oinbiiie's  the  reaelability  of  e*las.sie‘al 
fault  tre'e's  with  the'  moek'ling  peiwe'r  e)f  Markeiv  e'hains  [,4].  Ge'nerally  s[)eaking, 
it  e'hange's  the'  fault  tre'e  .semantie-s  by  augme'iiting  it  with  a  special  kinel  e)f  links 
calk'd  trigge'rs,  anel  associating  its  knave's  te)  Markox  prexe'sse's,  elynamie-ally  se'- 
k'e'te'el  in  function  e)f  the  state's  e)f  senne  edhor  leaves.  This  alk)ws  fen*  se'epie'iiex's 
and  .simi)Ie  ek'pende'iicie's  me)deling,  while  enabling  efficient  epiantifie‘atie)ns.  The' 
eniginal  ek'diiitie)!!,  the'  mathe'inatie’al  prope'rties  anel  elifferent  example's  are  pre)- 
\  iek'el  in  [3].  In  this  se'e’tion,  we  pre'se'iit  the'  main  e'k'ine'iits  e)f  tlu'eay  and  feature's 
olfere'el  by  a  straightforwarel  aelai)tat  ie)n  e)f  BDMP  te)  .se'emrity  uie)ek'ling,  s\mnning 
up  anel  ee)Uiple'ting  re'f.  [Ki]. 


88 


L.  Piotro-Cainbacwles  and  M.  Bonisson 


The  components  of  BDMP.  Informally, 
"triggered'’  Markov  processes  (noted  Pi  and 
presented  in  this  section)  are  associated  to  the 
leaves  i  of  an  attack  tree  A.  Each  process  has 
two  modes:  Idle  and  Active  (formally  noted  0 
and  1).  The  former  models  an  on-going  event, 
in  general  an  attacker  action,  the  latter  is  used 
when  nothing  is  in  progress.  The  mode  of  a 
given  Pj  is  a  Boolean  function  of  the  states  of 
the  other  processes.  Fig.  1  presents  the  com¬ 
ponents  of  a  security-oriented  BDMP. 

More  formally,  it  is  a  set  {A,r.T,  P}  com¬ 
posed  of: 


Fig.  1.  A  small  BDMP 


—  an  attack  tree  A  =  {E,  where: 

•  E  =  G  U  P,  with  G  a  set  of  logical  gates,  and  B  a  set  of  basic  security 
events  (e.g.  attacker  actions),  corresponding  to  the  leaves  of  the  BDMP; 

•  L  C  G  X  E  is  a  set  of  oriented  edges,  such  that  {E,L)  is  a  directed 
acyclic  graph  with  V/  €  G.sons[i)  ^  0  and  V7  E  iPsons[j)  =  0,  with 
E  P(E),sons{i)  =  {j  E  E/iLj)  E  L] 

•  g  ;  G  — >  N*  is  a  function  defining  the  parameter  A:  of  the  gates  which 
are  all  considered  to  be  k/n  logical  gates  (A:  =  1  for  OR  gates,  k  =  n  for 
AND  gates,  with  n.  the  number  of  sons) 

—  r,  the  final  attacker’s  objective.  Formally,  it  corresponds  to  a  top  of  (E,  L). 

—  a  set  of  triggers  T  C  (E  —  {r})  x  (E  —  {r})  such  that  V(/.  j)  ET,i  ^  j  and 
V(?*,  j)  E  T,V(A-, /)  E  TJ  ^  k  ^  j  ^  1.  If  i  is  called  origin  and  j  target,  it 
means  that  origin  and  target  of  a  trigger  must  differ,  and  that  two  triggers 
cannot  have  the  same  target.  Triggers  are  represented  by  dotted  arrows. 

—  a  s('t  P  of  triggered  Markov  processes  Each  P^  is  defined  as  a  set 

{Z^(0.  Zlit),  whore: 

•  Zly{f)  and  Z{{t)  are  two  homogeneous  Markov  processes  with  discrete 
state  spaces.  For  k  in  {0, 1},  the  state  space  of  Zl.{t)  is  A\{t).  Each  ^[(0 
contains  a  subset  5^.(0  which  corresponds  to  success  or  realization  .states 
of  the  basic  security  event  modeled  by  the  process  P^. 

•  /(I- 1  ^iid  /*_„  are  two  “probability  transfer  functions”  defined  as  follows: 

♦  for  any  x  E  /n  •(-tO  i^  probability  distribution  on  A\  siu'h  that 
if.r  e  Siy.  then  T.jes\ULi{^)){3)  =  1- 

*  for  any  x  E  A\ ,  P  Jx)  is  a  probability  distribution  on  A!^  such  that 
if  J-  €  5|  .  then  Ejes- (/Ln(jO)O')  =  1- 


Ti*iggcrs  and  P^s  are  intimately  linked,  as  the  P,s  switch  instantaneously  be¬ 
tween  inodes,  via  the  relevant  probability  transfer  function,  according  to  the 
state  of  some  externally  defined  Boolean  variables,  called  i)rocess  selectors  (de¬ 
fined  in  the  next  paragraph).  The  process  selectors  are  defined  by  means  of  trig¬ 
gers.  Generally  speaking,  a  trigger  modifies  the  mode  of  the  P,  associated  to  the 


Attack  and  Defense  Modeling  with  BDMI 


8!) 


leaves  of  the  sub-tree  it  points  at,  when  its  origin  changes  from  false  to  tru(\ 
Vhv  inodes  are  then  switched  from  Idle  to  Active^  representing  the  j^irogress  of 
th('  atta(‘k(T  in  the  attack  scenario  possibilities  eaptnrc'd  by  th('  overall  BDMP. 

The  three  families  of  Boolean  functions  of  time.  A  HDMF  defines  a  global 
stoc  hastic*  proc'C'ss,  niodcdiiig  the  evolution  of  an  attack  and  the  dyiiaiiiic  behavior 
of  its  perpetrator.  Each  element  i  of  A  is  jissc:)ciatc'cl  to  three'  Hoolc'aii  fmic'tions  of 
time:  a  structure  function  Sf{t).  a  process  sc'lertor  A"j(/)  and  a.  ivlevaiice  indicator 
Vi{f).  The  three  families  of  thc'sc'  functions  arc'  defined  as  follows  (note  that  to 
siin])lify  reading,  the  time'  t  is  not  iiiclicatc'd  but  should  api)C'ar  c'vcTywlicTe): 

—  is  the'  family  of  strnc'ture  func  tions:  V/  E  (t,S,  =  (  ^  Sj  >  /;(/)) 

j^.sons{t) 

and  VJ  €  B.Sj  =  (Z^  €  )  with  Xj  inclic'ating  the  mode  in  which 

is  at  time  t.  Sj  =  I  corrc'si)oncls  to  the  realizatiem  of  a  basic  sc'curity  c'vent 
(like'  an  attacker  action  success). 

—  {Xi)i^i.  are  the'  mode  selc'c'tors.  inclic'ating  which  mode  is  chosen  for  each  j)ro- 
erss.  If  /  is  a  toj)  of  A,  then  A",  —  I  else'  A^^  =  ->  [(V.r  E  F.  (.r,  /)  E  L  A  ^  —  0) 
V  (3:r  E  E/{.i\  ?)  E  T  A  Sr  ~  0)].  This  means  that  A\  =  I  c'xc:ei)t  if  the  origin 
of  a  triggc'r  jminting  at  /  has  its  stnic'tnre  fmic'tioii  c'cjual  to  0.  or  if  i  has  at 
Ic'ast  one'  ])arc'nt  and  all  its  parents  have  their  process  selector  equal  to  0. 

“  (Ti)f^£;  are  the'  rcdevanc'e  indicators.  Thc'V  are  usc'cl  to  mark  the'  j)rocc'sses  to 
be  “trimmc'cr'  during  the  processing  of  the  Markc:>v  c'hain  when  c'xploring  the 
possible  secpiencTes.  Trimming  strongly  rc'clucc's  the  c‘c)mi)inatorial  c'xplosion 
while  yielding  exact  results  in  our  assumptions  (cf.  the  next  paragraj)h  and 
3.4).  If  i  =  r  (final  ohjc'ctive),  thc'ii  T,  =  1,  else  V,  =  (3.r  E  E/(.i\  /)  E  L  A  > O-A 
Sr  ~  0)  V(3/y  E  E/{i,  y)  E  T  A  Sy  =  0).  This  formally  says  that  =  1  if  and 
only  if  i  —  r,  oi  /  has  at  least  one  ‘'relevant  parent  ’  whose  S,  —  0.  or  /  is  the' 
cn  igin  of  at  least  one  trigger  i)ointing  at  an  element  who.se  5,  =  0. 

Mathematical  properties.  A  BDMP  can  he  sc^en  <is  a  robust  mathc'inatic'al 
formalism  thanks  to  the  two  following  theorems: 

Theorem  1.  The  functions  (>' ).  (A',).  (> i)  are  eompntahle  for  all  i  E  E  what¬ 
ever  the  BDMP  straetnre. 

Theorem  2.  Any  BDMP  strndure  associated  to  an  mitial  state  defiried  by  the 
modes  and  the  Pi  states,  uniquely  defines  a  honwyeneous  Markov  process. 

The'  proof  for  t  hese  theorc'ins  can  be  foinicl  in  [3].  In  addition  to  thc'ir  robustiic'ss, 
BDMP  allow  for  a  dramatic  coinbinatory  rc'cinction  by  relevant  event  filtering, 
thanks  to  the  trimming  mc'chanisni  cis.sociated  to  the'  (V^)  values.  This  mechanism 
c*an  I)C'  illustrated  as  follows:  in  Fig.  1.  oiictc'  a  basic*  sc'c  nrity  c'vc'iit  Pi  has  bc'c'ii 
realizcMl.  all  the  other  Pj^j  are  no  longer  relevant:  nothing  is  c’hangecl  for  V’  if 
we  inhibit  them.  The  immher  of  secpiences  leading  to  the  top  objective  is  n  if 
the  relevant  events  are  filtered  ((Fj .  Q).  (F2,  Q),...);  it  is  c'xponential  othc'rwi.sc' 

((/',.  Q).(P..C,,Q),  (A.  e,,Q)....). 


90 


L.  Pietro- Cambacoclos  and  M.  Bouissou 


Theorem  3.  If  the  (P,)  are  such  that  Vi  G  B.Vt^Vt^  >  t,Si{t)  =  1  Si{t')  =  1 
(which  is  always  true  in  our  paper) ^  then  Pr{Sr{t)  =  1)  is'  uncJuwged  whether 
irrelevant  events  (with  \\  =  Oj  are  trimmed  or  not. 

The  proof  of  this  la,st  thcoreiii  is  given  in  [3].  It  implies  that  triii lining  on  the 
basis  of  the  (Vi)  does  not  change  the  quantitative'  values  of  interest  (cf.  3.4). 
Moreover,  it  corresponds  to  the  natural  and  rational  behavior  of  the  attaeker. 

The  basic  leaves  and  their  triggered  Markov  processes.  The  definition 
of  three  kinds  of  leaves  is  sufficient  to  offer  large  attaek  modeling  caj)ahiliti('s. 
Tlu'ir  triggered  Markov  pr()C(\ss(^s  are  represented  informally  in  Tab.  1. 


Table  1.  The  tlireo  ba.sic  security  leaves  for  attack  modeling 


—  The  "Attaeker  Action''  (AA)  leaf  models  an  attack('r  stej)  towards  theaecoiii- 
plishment  of  his  objective.  The  Idle  mode  means  that  tlu'  action  has  not  at 
this  st  age  b(HMi  tried  by  the  attacker.  The  Active  mode  (‘orrespoiids  to  actual 
attenij:)ts  for  which  the  time  needed  to  succeed  is  exponentially  distributed 
with  a  parameter  A.  When  (A",)  changes  from  0  (Idle)  to  1  {Active),  the  leaf 
state  goes  from  Potential  to  On-going;  when  (A",)  goes  back  from  1  to  0,  if  the 
attaek  Inis  not  succeeded,  the  leaf  state  goes  back  to  Potential  if  it  has  sue- 
eeed(Hh  the  leaf  (“onies  bacT  to  the  Success  state  of  the  Idle  mode.  Formally, 
the  juobabilitv  transfea*  functions  are:  /u-.i(P)  =  {Pr(0)  =  l.Pr(5')  =  0}, 
/.-«(0)  =  {Pr(/’)  =  l,Pi(5)  =  ()},  /,..„(5)  =  {Pr(F)  =  O.Pr(5)  -  1}. 

—  The  ‘Timed  Security  Event”  (TSE)  leaf  models  a  timed  basic  security  event 
the  realization  of  which  impacts  the  attacker's  progress,  but  wlii(‘h  is  not  under 
the  attacker’s  direct  control.  The  time  needed  for  its  realization  is  ex])onen- 
tially  distributed.  When  the  leaf  (“onies  back  to  the  Idle  mode,  the  leaf  state 


Attack  and  I)(’fcnsc  Modeling  with  BDMF' 


?)1 


can  thru  be  either  Rcalizvd  or  Not  Realized,  (ic’pencliiig  on  whetluT  the  d 
()C(  nrred  or  not  in  Active  mode.  If  unrealized,  it  is  up  to  llu'  analyst  to  decide 
if  a  realization  is  tln^n  possible^  in  Idle  inode,  by  using  a  A'  ^  0.  This  can  be 
iisefnl  when  using  phased  api)roaches  as  described  in  Section  ‘bd.  Fonnally, 
the  transfer  functions  are  as  follows:  fn^i{P)  ~  {Pt{N R)  —  LPr(/?)  =  0}. 
/,  .,(A7?)  =  {Pv(NR)  l.Pr(/?)  -  ()},  {PrOV/?)  =0,  Pr(/?)  =  1 }, 

J\  .o(A7?)-{Pr(iV/?)  =  I,Pr(/0-()),/r.o(/0  =  {Pi'(A^/?)  =  0,Pr(/0-I}. 

The  ‘Instantaneous  Ser  urity  Kvcait"  (ISE)  leaf  niodc'ls  a  basic  ser  nrity  event 
that  can  happc’ii  instant aneon.sly  with  a  probability  7.  when  the  leaf  switchc's 
from  the  Idle  to  Actiri  mode.  In  the  Idle  mode,  th(*  ('vcnit  cannot  occur 
and  the  leaf  stays  in  tlu'  state  Fotejitial  In  the*  Arttve  mode,  the  event  is 
either  Realized  or  Not  Realized.  State  changes  are  necessarily  the  result  of 
changes  in  (-V,).  Formally,  tin*  probability  transfer  functions  ar(’:  — 

{Pr(iV/?)  =  1  -  7,Pr(/0  =  7},  /o^.(/?)  =  {Pi(A^/0  O.Pr(/?)  =  l},  f,  .,(/?) 

=  {Pr(A7?)  =  0,  Pr(/0  -  1 /,  ..{NR)  -  {Pv{P)  -  1.  Pr(/?)  -  0}. 


3.2  Sequence  Modeling 


The  triggers  allow  for  an  idlicicuit  and  readable 
modeling  of  th('  sr^pumtial  nature  of  attacks:  of- 
t(Mi.  some  actions  or  events  need  to  be  undertaken 
or  realized  first  before  flirt Ikm*  steps  in  the  attack 
process  can  be  attf  inpted.  Fig.  2  presents  a  sim¬ 
ple  ('xainple  with  a  sequence  of  tlin^e  actions  with 
such  a  constraint,  based  on  an  OpcMating  System 
(OS)  attack.  R('.ference  [Hi]  proposes  an  alterna¬ 
tive'  exam[)lc.  modeling  the*  attack  of  a  Remote 
Acc('ss  Server  (RAS),  while  a  complete  nse-case 
is  presented  in  Section  3.4. 


us  OS  \u!<nr[al>ihl)  VultlCTahihEy 

prin|m|t  id^nl  ifieol  ion  rxploitalion 


Fig.  2.  A  simple  OS  attack 


3.3  Concurrent  or  Exclusive  Alternatives 

For  a  giv<'n  intermediate  objective,  an  attacker  may  hav(’  diflerent  alternatives. 
A  natural  way  of  modeling  this  with  BDMP  and  cla.ssical  attack  trees  is  with  OR 
gates.  Fig.  3  repre.seiits  two  different  approaches  with  an  (’xample  dealing  with 
OS  fingerprinting.  On  the  left  skh’,  a  siniph’  OR  gale  is  ii.sed:  p^issive  and  active’ 
tec  hihcpK's  arc  tried  simultaneonsly,  which  may  not  reflc'ct  a  reali.stic  attackcT 
bc'havior.  Passive  technicines.  being  more  discrete,  would  normally  be  tried  first 
and.  if  not  snccT.ssful,  given  up  after  some'  time*  for  active  ones.  Triggers  camiol 
model  such  a  behavior.  “Phase'  leaves',  nsc'd  on  the  right  sidc^  of  Fig.  3,  allow 
this  behavior  to  be  modc'led;  tlic'ir  formal  definition  is  given  in  [16]. 


3.4  Diverse  and  Efficient  Quantifications:  Principles  and  Use-Case 

The  intere.st  of  BDMP  doc's  not  only  lie  in  the  possibility  to  rejiresent  secjuc'iices. 
They  enable  diverse  t iiiK'-domain  quantifications,  including  the  i)rol)ability  for 


92 


L.  Piotre-Cainbarecl^  and  M.  Bouissoii 


M  I'^l 

Piwive 

fmgcipnnliFig  tingcrprjntin)( 


Passive  fingerprinting 


Activcfingcrprinling 


Fig,  3.  Modeling  parallel  or  phased  alternatives 


an  attacker  to  reach  his  objective  in  a  given  time  or  the  overall  mean  time  for  the 
attack  to  succeed.  In  addition.  BDMP  analysis  yields  the  enumeration  of  all  the 
imssiblo  attack  paths,  ordered  by  their  probability  of  occurrence  in  a  given  time. 
Such  results  can  b('  efficiently  computed  thanks  to  an  original  analytical  nu'thod 
(leveloped  for  large  Markov  models,  and  thus  applicable  to  BDMP  [4].  Indeed,  as 
explained  previously,  BDMP  are  high-level  representations  of  potentially  large 
Markov  chains;  however,  the  treat  incut  of  such  chains  is  usually  confronted  with 
state-space  explosion.  It  is  overcome  using  a  path-based  approach,  ex[)loring 
the  sequences  leading  to  the  undesirable  states.  Such  an  approach  enables  exact 
calculations  for  small  models  by  exhaustive  exploration.  For  larger  models,  it  is 
possible  to  obtain  controlled  approximations  by  limiting  the  sequence  exploration 
to  those  having  a  probability  greater  than  a  given  threshold.  In  both  causes,  the 
I>robability  of  the  explored  sequences  is  computed  by  the  closed  form  expression 
given  in  [5].  Sequence  exploration  takes  advantage  of  the  trimming  luechanisiu 
described  in  Section  3.1,  which  leads  to  a  strong  combinatorial  reduction. 

More  concretely,  the  analyst  must  define  the  A  parameters  of  the  exponential 
distributions  and  the  7  parameters  of  the  ISE  leaves.  Defining  the  As  is  done  by 
reasoning  in  terms  of  Mean  Time  To  Success  (MTTS),  i.e.  1/A,  like  in  [9,(),20]. 
The  7s  are  also  set  subjectively.  The  parameters  should  be  estimated  based  oil 
the  intrin.sic  difliculty  of  the  attacker  actions,  his  estimated  skills  and  resources, 
and  the  level  of  system  protection.  We  have  used  the  KB3  workb('nch  [2]  for 
the  model  construction  and  quantitative  treatments  in  this  paper.  Fig.  4  models 
the  attack  of  a  password-protected  file,  of  which  a  copy  has  been  stolen.  In  our 
scenario,  obtaining  the  password  is  the  only  way  to  access  its  content,  needed 
l)y  the  attacker  within  a  week  (this  may  take'  place  in  a  call  for  tender  in  a 
competitive  environment).  The  parameters  chosen  are  not  given  here  for  space 
limitation  reasons,  but  they  can  be  found  in  the  tecdinical  report  [15]. 

Such  parameters  lead  to  a  probability  of  siicces.s  in  a  week  of  0.422,  with 
an  overall  MTTS  of  22  days.  An  exhaustive  exploration  gives  G54  possible 
sequences;  Table  2  shows  a  representative  excerpt.  The  beginning  of  a  phase 


Attack  and  Defense  Modt'ling  with  BDMP 


93 


6 


Fig.  4.  Attack  of  a  p;uss word-] )n)t('c ted  file 


is  niaik('(l  as  ‘‘<pha.so>”  and  its  end  as  ‘‘</pliase>”.  Even  if  phases  are  not 
basic  seenrity  events,  tli(‘v  are  fully  part  of  the  sequences  as  they  structure  their 
chronology.  The  same  applies  to  the  leaves  that  are  realized  unnecc'ssarily;  they 
ar<'  marked  in  italics.  As  one  ean  see,  most  of  the  seqiu'iiees  include  one  or  more 
imnec('ssary  actions  or  events  that  hav(^  no  effeet  on  the  global  succ(\ss  of  the 
attack  and  as  such,  these  sequences  arc^  non-niininial.  The  niiniinal  sequences 
are  t'alled  success  sulvsequcnices,  or  SSS.  Seq.  I  to  4  are  ininiiiial  and  weigh 
probabilistically  47%  of  all  the  sequenees.  Seq.  5  and  (3  are  good  examples  of 
non-ininimal  sequences.  Bniteforce  is  a  spc'cific  h'af  as  it  is  also  the  only  single' 
eh'Uient  SSS.  It  appears  dirc'ctly  as  a  niiniinal  sequenee  in  liiu'  3.  but  also  ends 
numerous  noii-miiiiinal  sequencx's.  In  fact,  the  eonsolidatcd  eoiitribution  of  all 


94 


L.  Piotre-Caml)acc(lcs  and  M.  Boiiissoii 


Table  2.  Selection  of  soquonces  with  quantifications 


Sequences 

Probability 
in  a  week 

Average 

duration 

Contrib. 

1 

<SociA!  Eii«>Generic  rocoiin.,  Email  trap  excr.,  User  trapped 

1.059  X  10'  ^ 

9.889  X  nr* 

25.1% 

2 

<Soriiii  En«>G«‘neric  rccoiiii..  Phone  trap  exec.,  User  trapped 

5.295  X  10'^ 

9.889  X  10“* 

12.5% 

3 

Bnit.eforcc 

2.144  X  10‘  ^ 

5.638  X  Up 

5.1% 

4 

<Sociii]  Enx>  </S{)rial  EiirX  Key  Kemote>  <  /  Remote > 

< Physical >  Phy.sicul  rtMonii..  Keylogger  local  installation. 
Password  intercepttid 

1.749  X  10 

2.976  X  10^ 

4.1% 

5 

<Social  En^X/Sorial  Htif<XKeyl<>gKer>  <Remote>  TV- 

f.onnoissajice  <  /  neiu<>texi‘hysital> Physical  reconnaissance. 
Keylogger  local  installation,  Password  intercepte<l 

1.350  X  10“^ 

3.677  X 

3.2% 

(i 

<Socii»l  G enei’ic  rfconnaissaiice^  Email  imp  execution. 

U»e.r  tmppe<l(failure).  Rriiteforre 

1.259  X  10“-^ 

2.610  X  in'* 

3.0% 

20 

<Socia!  EnKX/Social  Eun>  <  Keyl<>f^Kerxnei«otc>Geiieric  re- 
connaissan<-e,  Payload  crafting.  Ai>propriatc  payload,  Pass¬ 
word  intercepte<l 

2.500  X  10“  ’ 

2.761  X  10^ 

0.6% 

,34 

<S<>ci»!  En«X/Social  KiiKXKeylogKer>  <Reiii<iJe>CJeneric  rO- 
conii..  Payload  craftinq  </Remote>  <p\\yn\vt\\>  Crafted  at- 
tarheinent  opened.  Appropriate  payload.  Physical  roctjiin., 
Keylogger  local  installation,  Pitssword  intercepted 

1.50(>  X  10  ^ 

4.594  X  10’* 

0.4% 

the  sequences  ended  by  hruteforce  weighs  40%  of  all  the  seqiunices.  Such  a  strong 
weight  despite  bnit(^for(c\s  large  MTTS  is  due  to  the  absence  of  other  steeps  to 
be  fulfilled.  This  points  to  a  more  generic  stateiiKuit:  a  complete  analysis  should 
not  only  u.se  the  list  of  sequences,  but  also  consider  complementary  views,  inch 
consolidated  ('ontributioiis  (jf  SSS.  Seq.  3  to  19  involve  only  two  SSS;  seq.  20 
relic's  on  a  new  SSS,  then  one  has  to  wait  until  seq.  34  to  find  another  one.  This 
latter  sequence  illustrates  the  specificity  of  TSE  leaves,  which  arc  able  to  bc' 
realized  in  Idle  inode  if  the  leaf  has  bcx'ii  Active  at  least  once. 


3.5  Hierarchical  and  Scalable  Analysis 

It  is  possible  to  choose  for  each  attacker  action  the  depth  of  analysis,  heading  to 
diff(Teiit  breakdowns  depending  on  the  analysis  needs.  This  hierarchical  behavior 
is  a  powerful  propc'rty  directly  inherited  from  the  attack  tree  fonnalism.  In  Fig.  4, 
the  pas.sword  crac  king  alternative's  have  been  broken  down  cpiite  roughly  into 
three  techni(|ucs  which  might  have  bec'ii  dc'composed  themselves  into  much  finer 
possibilities:  on  the  other  hand,  the  social  engineering  and  the  keylogger  siib- 
tre^es  are  slightly  more  dc'veloped.  More  detailed  brc'akdowiis  would  have  bc'cn 
jiossible.  In  fact,  BDMP  with  more  than  100  leave's  are  routiiic'ly  i)roc(^ssed  in 
reliability  studies  [2]:  the  method  is  also  scalable  for  security  applications. 


4  Integrating  Defensive  Aspects:  Detection  and  Reaction 

Holistic  approaches  to  security  generally  covc'r  protection,  detection  and  reaction. 
The  levcd  of  protection  can  be  c'onsidered  as  intrinsically  refk'cted  by  the  BDMP 


Attack  and  Defense  Modeling  with  liDMP 


95 


structure,  modeling  only  possible  ways  for  attacks,  and  its  leavers'  j)aranu‘t(Ms 
(As  and  ys).  reflecting  the  attack  difficulty  confrontcnl  with  a  given  protection 
kwel.  This  section  prescMits  tlu'  sj)ecifically  tailorc'd  ('Xtensions  to  BDMf^  lu^Hkxl 
to  model  detcH'tion  and  reaction  Jispects. 

4.1  The  lOFA  Detection  Decomposition 

The  integration  of  detection  in  a  dynamic  j^cnspc'ctiv'e  has  led  us  to  distinguish 
four  types  of  detection  for  tlu^  A  A  and  TSE  leaves,  difiercnitiated  by  the  moment 
when  the  detection  tak(\s  plac(\  Tyi^e  1  (Initial)  d(‘t  eel  ions  take  place  at  the  very 
start  of  the  attack(*r  actions  or  of  the  ('vents  iiuxk'led;  type  O  (On-going)  take 
pla.c('  during  the  attacker  att('nipts  or  during  tlu'  events  modeled;  type  F  (Final) 
detc'ctions  take  place  at  the  inoinent  the  attackc'r  snccc'eds  in  an  action  or  when 
an  event  is  realizc'd:  Type  A  (A  ]>osteriori)  detections  take  place  (')nce  an  action 
or  an  ('veiit  has  be('n  realized,  based  on  the  traces  kdt  by  such  an  action  or 

('V('llt . 

Each  of  tlK'in  has  a  sj^ecific  relevance  in  a  security  cont('xt.  Such  distinction 
allows  for  a  fiiu'-tuiK'd  and  coini^lete  inodc'ling  of  detection;  it  is  d('signat('d  by 
the  acronym  lOFA.  ISP]  leav('s  ha\'('  bc'en  treati'd  slightly  diffc'ieiitly  with  two 
distinct  d('t('ctions.  d('p('nding  on  the  legalization  outcome. 

4.2  Extending  the  Theoretical  Prainework 

111  order  to  model  detections  k  rc'actioiis,  we  extc'iid  tlu'  framework  of  §  3.1  I>y: 

associating  to  ('ach  element  a  Boolean  D^,  calk'd  Dc'tection  status  indic  ator: 
“  rejilacing  tlic'  Active  mode  by  Active  Undetected  and  Active  Detected  modes: 
—  sekx’ting  the  mode  on  the  basis  of  and  not  only  A",,  as  describc'd 

in  rah.  3  (note  that  in  tlu'  formal  notations  of  tlu'  following  sectiejus,  0  in 
subscript  coiresjioiids  to  tin'  Idle  mode  and  cowrs  XiDj  =  00  or  01); 
('xtending  the  k'aves'  triggt're(i  Markov'  proexvsses  with  new  states,  transitions, 
and  proliability  traiisfc'r  functions,  modeling  dc'tc'ctions  and  reactions. 


Table  3.  The  new  compound  process  selec  tor  A5/1,  and  tlu'  coria'sponding  inodes 


X,D, 

00 

01 

10 

11 

Mode 

Idle 

Active  Ihidete'cte'd  (AE) 

Active  Detected  (AD) 

Detection  and  reaction  in  the  triggered  Markov  processes.  In  this  frame'- 
work,  a  P,  is  a  sot  {Zo(0- ^u)(0’ ^li (0. /o  /,Lu • /u.-m /I'n  wlioro: 


Zq(/). /^Jq(/).  Zj  j  (0  are  three  homoge'iie'ons  Markov  proces.se's  with  discre'te 
state  .spaces.  For  k  G  {0,  10,  11}.  the  state'  space  of  Z(.(/)  is  A}.  Each  A[ 
contains  a  siibse't  Sj.  which  corresponds  to  sueeess  or  realizatieui  state's  of 
the  ba.sic  se'curity  e'vent  modede'd  I)y  the  process  P,.  and  a  subse't  Dj,  which 
corre^sponds  to  de'te'ctc'd  states. 


96 


L.  PiotrtvCainhacedes  and  M.  Boiiissou 


“  /o_^ir /lo-ii' /lo-o’ /u^o  “probability  transfer  functions’'  de¬ 

fined  as  follows: 

•  for  any  .r  €  Aq.  is  a  probability  distribiilioii  on  A\q.  such 

that  if  ,r  €  S,^,  tlioii  Ej€s;o(/o-io(^))(i)  =  1-  if  ^  then 

E,eo;,.(/.L.<,(-r)){j)  -  1; 

•  for  finy  ;r  G  ^4'),  is  a  probability  distribution  on  y4jj,  such 

that  if  X  6  5q,  then  (/o-u (^‘))0)  =  if  i:  €  Dq,  then 

Ej€ZJi,(/n-.i(-'’))0)  ==  1; 

•  for  any  x  G  /Iiq'  fw-^ui^)  probability  distribution  on  A\i,  sueh 

that  if  jr  G  S\q.,  then  (/h)-ii(‘^0)O')  =  if  G  Z^iq,  then 

•  for  any  x  G  /Ijj,  fh^nix)  is  a  probability  distribution  on  ^q,  such 

that  if  G  S\]  then  (/n_o(<^’))(j)  =  if  ^  ^ 

E,e/.;,(/^  ^oGOKJ)  =  1; 

•  for  any  x  G  /,\,  is  a  probability  distribution  on  /Iq,  such 

that  if  X  G  S\q  then  (/*o^u(^))0)  =  if  ^  A^Gn 

EiGD' (//n-.o(-^’))(j)  =  1- 

Note  that  /,\_io  is  not  defined:  an  attacker  once  detected  cannot  subsequently 
become  nndetc'cted. 

Idle  triggered  Markov  processes  of  Section  3.1  are  re-engineered  to  integrate 
detection  and  reaction  features,  as  presented  in  Tab.  4.  They  support  the  lOF'A 
detection  model  of  Section  4.1.  Transition  parameters  associated  to  detection 
are  marked  with  a  ’43'  in  subscript.  In  the  ease  of  the  A  A  and  TSE  leaves,  this 
letter  is  followed  in  |)arenthesis  by  the  type  of  deteetion  (I,  (3,  F  or  A)  they 
characterize-  in  the  case  of  the  ISE  leaves,  it  is  followed  by  the  eharacteriz(Kl 
ontcoine  ("/R”  in  case  of  realization,  “/NR'"  in  cas('  of  bad  outcome  for  the 
attacker).  The  .success  and  realization  parameters  are  linked  to  the  detection 
status  of  the  leaf:  “/D*’  in  subscript  means  "having  been  detected",  whereas 
“/ND”  means  “having  not  been  detected".  Discs  with  dotted  circumferences 
represent  “instantanc'ons"  states  whereas  full  discs  are  regular  timed  states.  By 
instantaneous  states  we  mean  (Mther: 

—  Artificial  states  introduced  for  the  sake  of  clarity,  but  which  could  be  removed 
by  merging  the  incoming  timed  transitions  with  the  outgoing  instantaneous 
transitions  into  single  timed  transitions  (e.g.  the  state  SPD  in  Tab.  4), 

—  Special  “triggering"  states  which  have  been  iiitrodiieed  to  change  the  Di 
values,  and  trigger  mode  changes  based  on  internal  leaves  evolution.  For  in- 
stanee  in  Tab.  4.  in  AU  mode,  an  arrival  cither  in  the  “Detected'’  or  the 
’'Suecess  Detected"  states  triggers  an  instantaneous  inod('  switch  towards 
the  AD  mode;  both  arrivals  set  the  Deteetion  indicator  status  73,  at  1,  pass¬ 
ing  the  Boolean  XiD^  value,  used  to  seleet  the  mode,  from  10  to  11.  Such 
“triggering”  instantaneous  states  are  represented  by  striped  dises. 


Attack  and  Defense  Modeling  with  BDMI 


97 


Reaction  ‘‘propagation”.  The  oxtt'iided  Markov  model  of  the  “Attaekt'r  A(- 
tion"  leaf  in  AU  mode  (cf.  Tab.  4)  is  a  good  illustrat  ion  on  how  dedeetion  is  taken 
into  account  ‘‘withiit*  a  given  leaf,  and  can  provoke  a  local  inode  switeh  towards 
th('  AD  mode.  This  ehanges  the  l(*af  parameter  Xs/nd  ^  value  X^/d.  turn¬ 
ing  th('  action  more  difficult  or  even  impo.ssible,  if  As/n  —  d,  when  the  atta(*ker 
is  deteeted.  The  same  apj)lies  for  the  otlu’r  leaves.  Hnt  such  mode  switches  can 
also  b(‘  provokcxl  ‘externally*',  i.e.  by  a  (kdection  having  occurred  at  the  level  of 
a  different  leaf.  In  fact,  the  following  possibilities  can  bt*  distingnished: 

the  d(d('ction  Inis  a  strictly  local  incidence:  only  the  detecti’d  attacker  action 
(a*  security  event  is  affected,  tlu'  rest  of  the  HDMP  is  unehangt'd,  i.e.  the 
other  leaves  keep  the  same  parameters  As  and  ys: 

the  detection  has  an  c'xtended  ineidence.  changing  not  only  the  on-going 
detectc'd  k’af  parameters  but  also  a  specific  set  of  othc’r  knives  in  the'  BDMP; 
—  the  detection  Inis  a  global  incidc'iice:  in  ea.se  of  dc'tection,  all  the  Di  are  sc't 
to  1.  meaning  that  all  the  future’  attackc'r  actions  or  security  events  will  be 
in  Drtcefed  mode,  with  the  iussociatc’d  paranu’ters. 

This  last  option  is  the  one  that  Inxs  been  adopted  in  this  papc'r:  it  is  both  mean¬ 
ingful  in  terms  of  seenrity  and  straightforward  in  tc’inis  of  formalization  and 
implementation.  Note'  that  the  inte’rmediate  option,  especially  re'levant  whc'n 
ek'aling  with  nmlti-domain  .syste'ins,  hjus  lic'en  explorc'd  by  the  authors  and  e'an 
be  implemented  I)y  the’  introdnetion  of  ‘'detc’e  tion  triggers’*.  The  a.ssoeiatc'd  ek^- 
ve'lopme’iits  are  not  given  lu're  for  space  limitation  rc'asons. 

Use-case  taking  into  account  detections  and  reactions.  44ie  nse’-ease 
of  Sc’ction  3.4  has  been  e'oinplete'd  by  adding  dete’c  tion  and  rc'aetions  i)e)ssibil- 
itie's.  The  cliose'ii  parameters,  not  give'ii  he'ie  for  space  limitation  rc'tusons.  can 
be’  found  in  [15].  Globally,  the’  introdnetion  of  detc’etions  and  rc’aetions  rediicc's 
the  probability  of  success  within  a  wec'k  by  about  14%,  from  0.423  to  0.364. 
This  mode'st  re'diu  tion  ('an  be  (’xplainc’d  by  the  fact  that  the  most  probable  sne- 
c'C'ss  scTiueiice'.  the  single  off-line'  brntcforce.  is  not  snbjc'et  to  ek’tc’ct ion.  In  fac  t, 
(’ven  with  systematic  ck'teetions  and  i)erf('ct  reactions  (the'  attack  is  stoppc’d). 
the  attacker  would  still  have  a  0.201  probability  of  snce  (’.ss,  just  by  the  off-line 
brntcforce’  attack.  In  te'rms  of  seeinenees  analysis,  the’  number  of  possible  sc’- 
einenex's  is  mneii  higher  (4231  vs.  656  in  See  l  ion  3.4).  Tab.  5  give’s  a  .sek’Ction  of 
seeiuenees  with  the'  eonve’ntions  of  Tab.  2:  in  addition,  elele'eaions  that  oe’cnrre’d 
are'  indicatexl  in  l)rackets  for  the’  re’levant  leave’s.  Ilc’ie’  again,  the  top  2  se'ejnencc’s 
are  dirc’e  t  snce’c’sse’s  of  soc  ial  enginc'ering  te’e'lmiejiies,  followe’d  by  the  sneress  of  a 
dirc'et  brnteforce  attack.  In  the  present  e^use,  thc’y  are  followc’d  by  sc’vc'ral  bnitc'- 
foree  te’rniinate’d  non-minimal  sequence's,  be’fore  the  first  se’epie’ncc’s  ha.sc’d  on  the 
trappe’d  email  with  malic'ions  payload  approach  ajipear  (se'ep  14  and  17).  This 
differs  from  Tab.  2  in  which  the  seqne'iices  based  on  jihysie  al  approac'he’s  appc'ar 
first,  whe'rc’as  thc'v  are  relegate’d  to  se’q.  20  and  fnrthc'r  in  the  pre.sent  ease.  This 
is  related  to  the  detection  and  reaction  possibilities  a.ssociate'd  here  to  sue-h  se’- 
epa’iiees.  In  se’ej.  20,  the’  attacker  Inis  failed  in  his  social  engineering  attempt  to 


98 


L  F^ietre-Cambacedc's  and  M.  Boiiissou 


Table  4.  The  triggered  Markov  processes  of  the  AA  and  ISE  leaves 


Attacker  Action  (AA) 


Markov  processes 


Probabilitv  transfer  functions 


Idle  {Zi(l)) 


Active  Undetected (Z|j,(/)) 


^  Pr(D}-YtM,^  Pr(SD)^0,  Pr(SU)^0} 
(PD)-^  \Pr(OU}^0.  Pr(D)  =  l.  Pr(SD)^0.  Pr(SV)^0} 

(SU) ^\Pr(OU)=  0.  Pr(D)^  0.  Pr(SD)^  O.PrfSL’}^  !} 
(SD)={Pr(OU)^  0.  Pr(D)=  0.  Pr(SD)^  I.Pr(SU)=  0/ 

/o.  .1 1  (Pf^’)  =  {Pr(OD)  »  I.  Pr(Sn)  *  0}  * 

(PD)  *  {Pr(OD)=  1  Pr(SD)^  0} 

(SV) ^  \Pr(OD)^  0.  Pr(SD)^  I}* 

(SD)=  {Pr(OD)^  0.  Pr(SD)=  1} 

fltyM^(OU)•  {Pr(OD)~  /.  Pr(SD)^  or 
(D)  =  { Pr(OD)  «  /.  Pr(SD)  •  0)** 

(SD)  =  {Pr(OD)=  0.  PrfSD}^  I}** 

(SU)  -  {Pr/OD)^  0.  Pr(SD)=  I}* 

fn  (OD)-=  \Pr(PU)=  0.  Pr(PD)=  /.  Pr(SD)^  0,  Pr(SL)=  0} 

(SD)=  {Pr(PU)=  0.  Pr(PD)^  0.  Pr(SDr  /.  Pr(SU)=  0/ 

{Pr(PU)=  I.  Pr(PD)^  0.  Pr(Sn)=  0,  Pr(SV)=  0} 

(SU)  =  {Pr(PU)^  0.  Pr(PD)^  0.  Pr(SD)=  0.  Pr(SU)^  1} 

*  The  deteclion  has  occured  at  a  different  leaf 

•  •  Despite  D  and  SD  having  null  durations,  these  lines  are  neces.sary  to  specif' 
the  transfer  function,  the  transfer  being  potentially  triggered  hy  the  leaf  itself 


Markov  processes 


Idle  (Z;(/)) 


Active  Undetected  {Z\JJ)) 


[  I  an  rtAnvd  A 


Active  Detected  (Z|,(/)) 


Instantaneous  Security  Event  (ISE) 

Probability  transfer  functions 


/)  .\»(SU)^{Pr(SU)=(I  ys\i)>(I  -yDstt).Pr(RU)=ysMy(l-y{yn}- 
P(SD)^(I  ya  M))yaM(.  P(RD) » r} 

(RU)-^{Pr(S'U)^  0.  Pr(RU)~(i  -you).  Pr(\D)=  0.  Pr(RD}  =  Ydr} 
(S'D)^{Pr(NU)^0.  Pr(RU)^(l  Pr(ND)^  /  Pr( RD)  •  y^^-n} 
(RD)-^{Pr(NU)*0.  Pr(RU)^0.  Pr(\D)=  0.  Pr(RD)  =  1} 

/o-.ii  r.VU;-/Pr('.VD;-r/  -  ywn).  Pr(RD)^  ysso) 

(RU)^{Pr(ND)=  0.  Pr(RD)'  1} 

(SD)^{Pr(SD)~  (I  -  ys^tJ.  Pr  (RD)=  ysiy} 

(RD)^{Pr(ND)^0.  Pr(RD)=!} 

I  ( SV)  =  iPr(ND)  =  A  Pr(RD)  -  0} 

(RU)={Pr(SD)=  0,  Pr(RD)^  1} 


fi\  ->  (\D)^{Pr(NU)=0.  Pr(RU)--  0.  PrriD)=  A  Pr(RD}^0} 
(RD)^{Pr(SU)=(),  Pr(RU)^  0.  Pr(.\D)=  0.  Pr(RD)^l) 

(SU)={Pr(SU)^I,  Pr(RU)^  0.  Pr(SD)-  0.  Pr(RD)^0} 
(RU)^{Pr(NU)=0,  Pr(RU)=  /,  Pr(^D)^(),  Pr(RD)^0} 


Attack  and  Defense  Mod('ling  with  BDMP 


9!) 


Table  5.  Selection  of  sequences  with  {juantifications 


Soqiionces 

Probability 
in  a  week 

Average 
cl  uratiuii 

Contrib. 

l 

KiiK>CIt'iiorir  reconn.,  {‘'.mail  trap  ex<*c..  Us<‘r  trap|)oa 

1.091  X  10  ' 

<).HH<)  X  HP 

:io.o% 

2 

<SoriAl  KnK>CH‘iu‘ric  r<‘<'<)iin.,  Plione  trap  exec.,  User  trapped 

5.  l.Vi  X  10 

9.885)  X  10* 

l.').0% 

.1 

Unit  eforre 

2. M  l  X  10  ^ 

,'>.0.18  X  in* 

.'1.9% 

4 

<.Sori.Tl  KnK>  (Tenerif  ir.coTtJiai.ssuiicc.  Briitefi)rre 

l.0.').5  X  10  ^ 

<).885)  X  10* 

2.‘)% 

([...].  Bnitcdoree)  x  9 

14 

<So«  ini  ringxSfM'Crti  Klin > <  K«.yl<>n>t<T > <  >Cjeiieric  recuii- 

naissaiH  Payl<ja<I  crafting(no  detection),  vXppropriate  pay- 
loa(l(iio  detection),  P.'ussword  intcret  pted 

2. 2.^0  X  10 

2.701  X 

0.0% 

([...].  Brnteforce)  x  2 

17 

i;:nK>C*eneric  rec r)nnaissan{<‘  <.s<>riai  RnK><rKcy1<»nK,.r> 
<  H«  nu.t«  >PayIoa<I  erciftiiig(ii(i  d<'te<  t  ion).  Appropriate  pay- 
load(no  detection),  I'.-Lssword  interce  pted 

l.92:i  X  10 

2.088  X  l()-* 

0..VX. 

([...].  Bnitedorce)  x  2 

20 

f.iik>  C7enerie'  feconna7.s.‘,arice.  Email  trap 

rsci-..  IJstr  trapped  (failure  and  detection)  <So«'ihI 

Knjt  >  <  K«.yl«>KK'‘r  >  Physical 

recoiin..  Kc'ylo^ger  lo<  al  install/ition.  Pjussword  intrrccpterl 

l..^j.t9  X  10  ‘ 

.^>.5)5)  1  X  K)-' 

0.1% 

iiniiiipiihite  the  us('r  by  a  forgc'd  (Miniil  and  has  been  (hdected;  the  paraiindcTs  of 
the  snbse(|neiit  leav(\s  are  those  correspondiiig  to  a  detected  status.  Here  again,  a 
complete  analysis  is  not  provided,  but  would  bcniefit  from  snecess  snb-scHjiKniees 
consolidat  ion  views. 


5  On-Going  and  Future  Work 

A  first,  groiij)  of  on-going  developments  aims  at  snpjjorting  scv  nrity  (h'cisions. 
The  new  modes  related  to  detection  enable  new  quantifications  which  may  be  of 
interest  for  the  analyst.  This  includes  the  mean  time  to  detection  (MTTD)  or  at¬ 
tack  sc'cpK'iices  classification  ordered  by  their  probability  of  (h’tectioii.  Besides,  if 
the  list  of  sectnencc's  provides  insightful  c|ualitative  and  qiia.iititat ivt'  information, 
fine.r-grain  analysis,  for  instance'  regarding  siu'cc'ss  snb-secpiencc's.  are  nec'ded  to 
take  complete  advantage  of  the  model  results.  Morecner.  individnal  Ic'af  impor¬ 
tance  factors,  adaptc'd  to  dynamic  models  as  (Hschs.sckI  in  [Id],  could  be  detinc'd 
for  oiir  franu'work  to  complete  the  analyst  tool-box.  We  intend  to  develop  c*om- 
plet('  and  antomatod  tcwls  implementing  all  tlu'se  as])ects  in  order  to  provide  a 
finer  and  eiisier  support  to  sc'cnrity  decision. 

A  sc'cond  type  of  perspective  deals  with  the  BDMF^  theoretical  franu'work. 
RDMP  have  bc'en  built  on  Markovian  a.ssimiptions  and  expoiK'iitial  distrihntioiis, 
(‘ommonly  ac(‘ept(‘d  in  reliability  CMigineeriiig  [19].  Although  such  a  framc'work 
has  also  been  used  in  ,secnrity  (stv  [IG]  for  a  short  review^),  there  is  much  debate' 
on  the  appropriate  way  to  mcKlel  stochastically  the  bc'havior  of  an  intc'lligc'iit 
attacker,  if  any.  In  this  perspective,  it  may  be  of  intc'ic'st  to  ('liable  tin?  use  of 
othc'r  distributions.  This  is  possible  without  (hanging  tin'  graphical  formalism, 
but  th('  (iiiantifications  could  not  fully  benefit  from  tlu'  methods  (h'scribc'd  in 
Sc'ction  3.4  and  would  rely  on  Montc'-Carlo  simulation. 


100 


L.  Pietrc-Canibacedcs  and  M.  Bouissou 


Finally,  the  construction  of  diverse  models  during  this  research  has  led  to  the 
identification  of  recmrreiit  patterns  in  attack  s(‘(niarios.  A  rigorous  inventory  and 
categorization  of  such  patterns  could  lead  to  a  library  of  small  BDMl^  modeling 
classical  attack  steps  ready  to  assenibk'  when  building  a  conii)lete  model. 


6  Conclusion 

The  adaptation  and  extension  of  the  BDMP  formalism  offers  a  new  sec\irity 
modeling  technique  which  combines  readability,  scalability  and  (piantification 
capability.  This  paper  has  presented  a  complete  view  of  its  matlKUiiatical  frame¬ 
work  and  has  illustrated  its  use  through  different  use-cases.  Se(|ueuces,  but  also 
concurrent  actions  or  exclusive  choices  can  be  easily  taken  into  account.  On  the 
defensive  side,  detection  aspects  have  been  integrated  while  several  alternatives 
are  possible  for  reaction  modeling.  This  extended  formalism  inherits  from  the 
hierarchical  and  scalable  structure  of  attack  trees,  allowing  different  depths  of 
analysis  and  ease  of  appropriation,  but  goes  far  beyond  by  taking  into  a(‘count 
the  dynamics  of  security.  It  enables  diverse  and  efficient  time-domain  quantifica¬ 
tions,  taking  advantage  of  the  BDMP  trimming  iiu'chaiiism  and  their  a,sso(‘iat(‘d 
sequence  exploration  apj)roach,  which  have  been  used  extemsively  in  the  relia¬ 
bility  engineering  area.  If  there'  is  still  room  for  further  devel()[)inents  exs  seen  in 
Section  5,  the  framework  presented  here  can  be  already  considen'd  as  ready  to 
use,  bringing  an  original  approach  in  the  security  modeling  area. 


References 


1.  Ainoro.so,  E.G.:  llireat  Trees.  In:  Fundamentals  of  coiiipiit('r  security  technology, 
cli.  2,  pp.  15  29.  Prentice- Hall  Inc..  Englewood  Cliffs  (1994) 

2.  Boni.s.soii,  M.:  Automated  dependability  analysis  of  complex  systems  with  the  KB3 
workbench:  the  experience  of  EDF  R&D.  hi:  Proc.  International  Conference  on 
Energ>'  and  Environment  (CIEM  2005),  Bucharest,  Romania  (Octolx'r  2005) 

3.  Bouissou,  M.,  Bon,  J.:  A  new  formalism  that  combines  advantages  of  fault-trees  and 
Markov  models:  Book'an  logic  driven  Markov  proce.s.s('s.  Reliability  Engineering 
System  Safety  82(2),  149  103  (2003) 

4.  Bouissou,  M.,  Lefebvre,  Y.:  A  patli-based  algorithm  to  evaluate  asymptotic  unavail¬ 
ability  for  large  Markov  models.  In:  Proc.  Reliability  and  Maintainability  Annual 
Symposium  (RAMS  2002),  Seattk',  USA,  pp.  32  39  (2002) 

5.  Harri.son,  P.:  Laplace  transform  inversion  and  passage  time  distributions  in  Markov 
processes.  Journal  of  applied  probability  27(1),  74  87  (1990) 

6.  Jon.ssoii,  E.,  Olovsson,  T.:  A  quantitative  model  of  the  security  intrusion  process 
based  on  attacker  behavior.  IEEE  Tiaiis.  Soft.  Engineering  23(4),  235  245  (1997) 

7.  Kotenko,  1..  Stepevshkin.  M.:  Analyzing  network  security  using  malefactor  action 
graphs,  hit.  Journal  of  Comp.  Science  and  Network  Security  6(6),  226  236  (2006) 

8.  Lippmann,  R..  Ingols,  K.:  An  annotated  review  of  past  papers  on  attack  graphs. 
Project  Report  ESC-Tll-2005-054,  Massachusetts  Institute  of  Technology  (MIT), 
Lincoln  Laboratory  (March  2005) 


Attack  and  Defense  Modeling  with  BDMl’ 


101 


f)  Littlewood,  F3.,  Brocklehnrst,  S.^  Fenton,  N.,  Mellor,  P.,  Pag(\  S  ,  Wright,  D.,  l)ol>- 
Si)n,  .1..  McDennid,  J..  Golhnanii,  D.:  Towards  operational  ineasnres  of  computer 
S(‘cnrit.v.  .loiirnal  of  romputer  Security  2,  211  229  (1993) 

10  Mauw,  S..  Oostdijk,  M.:  Foundations  of  attack  trees.  In:  Won.  D.ll..  l\ini,  S.  (eds.) 
ICISC  2005.  LNC^S.  vol.  3935,  pp.  18G  198.  Springer,  Heidelberg  (2()()()) 

1 1.  Mcl)(>i  iiiott,  J.P.:  Attack  net  penetration  testing.  In:  Proceedings  of  the  2000  W'ork- 
.siiop  on  N('w  Si'curity  Paradigms,  Ballycotton,  Ireland,  i)p.  15  21  (2000) 

12.  Nicol,  D.M.,  Sanders,  WM3.,  Trivetli.  K.S.:  Model-l)iLsed  evaluation:  From  dei)end- 
ability  to  sc’curity.  11*]E1C  TVans.  r)e|:>endal)le  and  Secure  Comp.  1(1),  48  65  (2001) 

13  On,  Y.,  Dugan,  J.B.:  Apiu-oximate  sensitivity  analysis  for  acyclic  Markov  rc'liability 
models.  ll'^Ek]  Tt'aiisactions  on  Reliability  52(2),  220  230  (2003) 

M  Patel,  S.C.,  (Jrahain,  ,1.11..  Ralston.  P.A.:  Quantitatively  ass(‘ssing  the  vulnerabil¬ 
ity  of  critical  information  systems:  A  new  method  for  (’vahiating  s('cinity  enhance- 
nieiits.  bit.  Joinual  of  Information  Management  28(6),  483  491  (2008) 

15  fhetre-Caiubacedes,  L..  Bonisson,  M.:  Attack  and  defense  dynamic  modeling  with 
BDMf’  (extended  version).  Technical  Report,  Telecom  ParisTecli,  DepartmiH.'nt 
INFRES  (2010) 

1().  F^ietre-Cambacedes,  L.,  Bonisson,  M.:  Beyond  attack  trees:  dynamic  .security  mod¬ 
eling  with  Boolean  logic  Driven  Markov  Proce.s.ses  (HDMP).  In:  Proc.  8th  Enroi)ean 
Depeiulable  Computing  Conference  (EDCC),  Valencia,  Spain,  j)]).  119  208  (April 
2010) 

17  Pietre-Cambacedes,  L.,  (diandet,  C.:  Disentangling  the  relations  betweem  .safety 
and  security.  In:  Proc.  of  the  9tli  W’^SEAS  bit.  Conf.  on  Aiiplied  Informatics  and 
Comniimications  (AIC  2009).  WSEAS,  Mo.scow,  Russia  (August  2009) 

18  Pudar,  S.,  Manimaran,  G.,  Lin,  C.:  PI:^NET:  a  j^rac  tical  method  and  tool  for  intc'- 
grated  modeling  of  security  attacks  and  coimtermeasiin's.  C\)mputer.s  Security 
In  Press.  Corrected  Proof  (May  2009) 

19  Raiisand,  M.,  Moylaiid,  A.:  System  Reliability  Tln'ory:  Models  and  Statistical 
Nh'tliods.  2nd  edn.  Wulcy,  Chichester  (2001) 

20.  Sallhanimar,  K.:  Stochastic  models  for  combined  security  and  (h'pendability  evalu¬ 
ation.  Ph.D.  thesis,  Norwegian  University  of  Scieiic(>  and  Tc'chnology  NTNU  (2007) 

21.  Sclmeier,  B.:  Attack  trees:  Modeling  security  threats.  Dr.  Dobb's  .loiirnal  12(24), 
21  29  (1999) 

22.  SheyiKM',  O.,  Haines,  .1..  Jha.  ,S.,  Lippmaini.  R..  W  ing,  .1.:  Automated  generation 
and  analysis  of  attack  graphs.  In:  Proc.  lEEE^  Symiiosiinn  on  Security  and  Privacy 
(SAP  2002),  Oakland.  USA,  pj).  273  284  (May  2002) 


QoS-T:  QoS  Throttling  to  Elicit  User  Cooperation 
in  Computer  Systems 


Vidyaraman  Sankaranarayanan',  Shambhu  Upadhyaya",  and  Kevin  Kwiat^ 


'  Microsoft,  1  Microsoft  Way,  Redmond,  WA  98052 
krsna@acm. org 

^  Dept,  of  CSK,  SUNY  @  Buffalo,  Buffalo,  NY  14260 
shambhu@cse . buffalo . edu 

^  Air  Force  Research  Laboratory,  525  Brooks  Road,  Rome,  NY  13441 
kwiatk@rl . af . mil 


Abstract.  While  there  exist  strong  security  concepts  and  mechanisms,  imple¬ 
mentation  and  enforcement  of  these  security  measures  is  a  critical  concern  in 
the  security  domain.  Normal  users,  unaware  of  the  implications  of  their  actions, 
often  attempt  to  bypass  or  relax  the  security  mechanisms  in  place,  seeking 
instead  increased  performance  or  ease  of  use.  Thus,  the  human  in  the  loop  be¬ 
comes  the  weakest  link.  This  shortcoming  adds  a  level  of  uncertainty  unaccept¬ 
able  in  highly  critical  information  systems.  Merely  educating  the  user  to  adopt 
safe  security  practices  is  limited  in  its  effectiveness;  there  is  a  need  to  imple¬ 
ment  a  technically  sound  measure  to  address  the  weak  human  factor  across  a 
broad  spectrum  of  systems.  In  this  paper,  we  present  a  game  theoretic  model  to 
elicit  user  cooperation  with  the  security  mechanisms  in  a  system.  We  argue  for 
a  change  in  the  design  methodology,  where  users  are  persuaded  to  cooperate 
with  the  security  mechanisms  after  suitable  feedback.  Users  are  offered  incen¬ 
tives  in  the  form  of  increased  Quality  of  Service  (QoS)  in  terms  of  application 
and  system  level  performance  increase.  User's  motives  and  their  actions  are 
modeled  in  a  game  theoretic  framework  using  the  class  of  generalized  pursuit- 
evasion  differential  games. 

Keyword.s:  Game  theory.  Human  factor  in  security.  Quality  of  Service,  Com¬ 
puter  Security,  Threat  model. 


1  Introduction 

Traditionally  security  and  quality  of  service  (QoS)  have  been  perceived  as  only 
orthogonally  achievable  goals.  The  enforcement  of  security  is  thought  to  be  a  perfor¬ 
mance  obstacle,  and  guaranteeing  QoS  is  thought  to  require  the  relaxation  of  security 
mechanisms  [4].  These  are  the  misconceptions  that  drive  normal  users  to  bypass  or 
relax  the  security  mechanism  in  place.  Unaware  of  the  implications  of  their  actions, 
they  seek,  instead,  increased  performance  or  ease  of  use.  Using  ineffective  passwords 


‘  Approved  for  Public  Release;  Distribution  Unlimited:  88ABW-2008-1 165  dated  02  Dec  08. 
^  Work  done  by  llrst  author  while  at  SUNY,  Buffalo. 

1.  Kotenko  and  V.  Skormin  (Eds.):  MMM-ACNS  2010,  LNCS  6258,  pp.  102-1 17,  2010. 

©  Springer- Verlag  Berlin  Heidelberg  2010 


QoS-T:  QoS  Throttling  to  Elicit  User  Cooperation  in  Computer  Systems  103 


[2 1,  disabling  critical  security  features,  installing  untrusted  software  [5|,  and  not  ap¬ 
plying  security  patches  in  a  timely  manner  are  a  few  instances  of  user  level  lapses  that 
impede  security.  According  to  a  survey  [19]  conducted  by  McAfee,  users,  in  the  hope 
of  gaining  an  immediate  functionality,  may  recklessly  download  and  install  shareware 
programs  on  their  company  issued  laptops  or  bring  in  their  own  gadgets  to  the 
workplace.  Such  lapses  arc  unacceptable  in  highly  critical  information  systems.  How¬ 
ever  this  brings  out  an  interesting  point.  If  the  human  in  the  loop  proves  to  be  the 
weakest  link,  regardless  of  the  sophistication  and  strength  of  the  security  measures 
taken,  their  implementation  and  particularly,  their  enforcement  in  a  system  must  be  of 
critical  concern.  We  argue  that  enforcement  of  these  security  measures  requires  re¬ 
versing  or  in  the  least,  manipulating  the  above  misconceptions.  Recently  there  has 
been  some  work  done  on  viewing  security  as  one  aspect  of  QoS  and  in  turn,  seeking  a 
symbiotic  relationship  between  the  two  system  interests. 

In  this  paper,  we  aim  to  exploit  the  obvious  interdependence  between  quality  of 
service  and  security  in  order  to  improve  overall  system  security,  particularly  in  inter¬ 
active  systems.  Unlike  previous  approaches  that  tend  to  address  a  single  threat  vector 
[4,  6,  10],  the  work  in  this  paper  describes  an  underlying  approach,  similar  in  theme  to 
[91,  that  may  be  used  in  interactive  systems.  Given  that  users  prefer  greater  perfor¬ 
mance  and  increased  quality  of  service,  we  propo.se  a  model  to  prevent  security 
breaches  and  elicit  user  cooperation  with  the  security  mechanism.  The  focus  of  this 
paper  is  towards  dealing  with  this  class  of  problems  where  the  system  security  level  is 
degraded  due  to  user  action/inaction.  We  take  the  view  that  all  failures  due  to  user 
action  or  inaction  have  to  be  treated  as  engineering  failures,  instead  of  being  ignored. 
We  present  a  game  theoretic  model  intended  to  directly  counterbalance  this  risk.  The 
purpo.se  of  the  model  is  twofold: 

•  elicit  user  cooperation  with  the  security  mechanisms  in  place  by  gracefully 
providing  incentives  to  end  u.sers  as  they  provide  demonstrable  evidence  of 
cooperation  with  the  security  subsystem 

•  punish  potential  intruders  who  refuse  to  cooperate  with  the  .security  subsystem 
with  a  reduced  QoS 

This  approach  is  similar  to  [7],  where  hostile  u.sers  in  a  wireless  ad-hoc  network  arc 
punished  hy  active  jamming.  Our  approach  enjoys  two  main  benefits:  It  encourages 
legitimate  users  to  cooperate  with  security  mechanisms  as  well  as  deters  rogue  users 
by  proportionally  degrading  QoS  in  light  of  suspected  security  breaches. 

The  underlying  concept  of  degrading  performance  in  case  of  observed  security 
problems  is  present  in  different  forms.  In  the  area  of  network-security,  for  example,  a 
server  may  gradually  start  dropping  connections  or  reducing  the  QoS  to  stop  a  DoS 
attack  or  delay  the  propagation  of  Worms.  Wc  extend  this  idea  to  service  throttling  in 
order  to  address  the  weak  human  factor.  Our  mechanism  is  applied  in  ca.ses  where 
there  is  no  absolute  certainty  that  there  is  an  attack  (malicious  traffic  in  the  case  of  a 
DoS  and  improper  user  activity  in  our  case).  Degrading  performance  is  done  for  two 
rea.sons:  delaying  the  attack  (if  there  is  one  in  progress)  and  ensuring  user  level  com¬ 
pliance  to  the  security  policies. 

The  rest  of  the  paper  is  organized  as  follows.  Section  2  discus.ses  related  work  on 
addre.ssing  the  weak  human  factor.  Section  3  presents  the  QoS  degradation  model  and 


104 


V.  Sankaranarayanan,  S.  Upadhyaya,  and  K.  Kwiat 


the  flow  of  control  in  the  model.  Section  4  presents  a  proof-of-concept  simulation  that 
illustrates  the  usage  of  this  model.  Concluding  remarks  are  given  in  Section  5.  The 
appendices  contain  the  differential  games  used  in  the  underlying  QoS  degradation 
model  of  Section  3. 

2  Related  Work 

Researchers  in  |2|,  [9J  and  [22]  all  arrive  at  the  general  conclusion  that  users  may  be 
careless  and  unmotivated  when  it  comes  to  system  security;  however  they  argue  that 
the  fault  lies  ultimately  with  the  design  and  implementation  of  these  security  mechan¬ 
isms.  Adam  and  Sasse[2]  discuss  “Users’  Perceptions  on  Security”  and  the  impor¬ 
tance  of  accounting  for  these  perceptions.  Dourish  et  al.  [9]  argue  the  importance  of 
creating  degrees  of  security  as  oppo.sed  to  the  traditional  “all-or-nothing”  black-box 
approach.  In  this  way,  users  naturally  distinguish  between  highly  sensitive  versus 
le.ss-sensitive  information  systems  and  this  manifests  itself  through  different  behavior 
in  these  different  environments.  Adam  [2]  and  Sasse[22]  also  emphasize  the  impor¬ 
tance  of  removing  the  transparency  from  security  tools,  particularly  in  highly  critical 
systems,  and  actively  involving  users  in  the  security  cycle.  With  these  criteria  in  mind, 
in  this  paper,  we  developed  a  graded  QoS  model  to  make  users  personally  accounta¬ 
ble  for  the  state  of  the  system.  Linn  [16]  introduces  a  parameter  intended  to  manage 
the  level  of  protection  provided  by  a  security  mechanism.  Irvine  et  al.  [14,  15]  define 
security  as  a  constructive  dimension  of  QoS  rather  than  an  obstacle.  Our  approach 
translates  variable  security  levels  directly  into  variable  QoS  levels  returned  to  the 
user.  In  this  way,  there  is  a  tangible  motivation  for  the  user  not  to  circumvent  the 
security  mechanism. 

The  problem  of  the  weak  human  factor  has  been  researched  in  the  same  vein,  by 
using  fear  appeals  [29]  or  by  forcing  the  user  to  interrupt  their  workflow  [31]  for  the 
‘greater  good.’  Generic  approaches  have  also  been  proposed  by  means  of  equating 
safety  properties  to  security  properties  [3].  Certain  online  banking  systems  ask  in 
addition  to  the  password,  personal  information  about  the  user  (like  SSN  number. 
Drivers  license,  etc.)  during  a  login  procedure.  However  such  measures  are  geared 
only  towards  malicious  users  and  do  not  involve  legitimate  users  in  the  security  sub¬ 
system.  A  model  called  ‘safe  staging’  [30]  by  Whitten  and  Tygar  extends  this  notion 
to  legitimate  users,  where  a  system  restricts  the  rights  of  Java  applets  (the  service 
quality)  in  response  to  users'  demonstrated  understanding  of  the  security  implications. 
As  users  become  more  familiar  with  the  security  issues,  the  .service  quality  is  in- 
crea.scd.  Our  model  extends  this  notion  a  step  further  by  incorporating  a  monitoring 
and  feedback  control  mechanism  to  involve  legitimate  users  in  a  constructive  manner. 


3  QoS  Throttling  (QoS-T)  Model 

Essentially,  the  problem  we  .seek  to  solve  is  an  important  one,  but  has  eluded  a  tech¬ 
nical  solution  due  to  a  variety  of  reasons.  Primary  among  them  is  the  act  of  interfe¬ 
rence  and  lack  of  control;  any  technological  solution  that  seeks  to  remedy  the  weak 
human  factor  does  so  by  means  of  either  interfering  in  the  workflow  of  the  user  or 


QoS-T:  QoS  Throttling  to  Elicit  User  Cooperation  in  Computer  Systems 


105 


taking  away  control  of  the  system  from  the  user,  or  a  combination  of  both  factors. 
These  two  factors  irk  users;  security  designers  have  not  found  the  correct  balance  or 
an  alternative.  Our  approach  is  a  combination  of  these  two  factors,  but  in  a  very  gra¬ 
dual  and  subtle  manner  with  appropriate  feedback,  thereby  giving  the  user  complete 
control  at  every  stage,  with  minimum  to  zero  interference  to  the  workflow.  The  nature 
of  this  problem  involves  understanding  and  quantifying  user  actions,  their  incentives 
and  ensuring  an  optimal  state  where  the  user  objectives  are  met  and  the  system  securi¬ 
ty  is  also  maintained.  Thus,  the  problem  may  be  viewed  as  one  of  balancing  the  objec¬ 
tives  of  the  user  and  that  of  the  system.  In  such  a  situation,  game  theoretic  models 
apply  naturally. 

3.1  Why  Game  Theory? 

We  have  chosen  the  class  of  generalized  pursuit-evasion  differential  games  for  model¬ 
ing  this  problem.  Game  theory  helps  model  a  set  of  ‘selfish'  and  ‘rational'  players 
who  act  in  a  setting  solely  for  their  own  advantage.  Users  in  our  setting  can  be  said  to 
act  .selfishly  to  improve  their  own  QoS.  Game  theoretic  models  have  been  used  to 
infer  the  incentives  of  attackers  [20]  based  on  their  perceived  incentives.  In  this  work, 
we  use  a  game  theoretic  model  to  provide  incentives  to  the  u.ser  in  order  to  elicit  co¬ 
operation.  The  purpose  of  the  game  theoretic  model  is  to  derive  a  measurable  quantity 
out  of  the  user's  actions  that  can  be  given  as  a  feedback  to  the  security  mechanism. 
User’s  actions  in  the  game  theoretic  setting  are  equivalent  to  strategies  of  a  player. 
The  security  mechanism  can  use  the  payoff  function  of  the  game  to  adjust  the  QoS. 
The  advantage  of  modeling  the  uscr/resouree/seeurity-meehanism  scenario  as  a  diffe¬ 
rential  game  is  that  it  allows  for  a  flexible  definition  of  the  act  of  “a  user  accesses  a 
re.source.’'  While  this  definition  is  abstract  at  the  level  at  which  this  model  is  de¬ 
scribed,  it  can  be  properly  inteipreted  and  applied  on  the  specific  security  domain 
where  its  application  is  relevant.  The  model  is  self  enforcing;  we  do  not  make  any 
assumptions  about  the  coordination  between  the  players  of  the  game.  Users  in  a  sys¬ 
tem  need  not  be  aware  of  the  model,  nor  are  they  required  to  consciously  participate 
in  any  ‘game.'  Differential  game-theory  also  has  the  notion  of  ‘continuous'  play, 
which  makes  it  conducive  to  use  it  in  situations  as  these.  Lastly,  the  u.sage  of  game 
theoretic  notions  allows  us  to  specify  notions  of  strategy  or  best  responses  of  the  par¬ 
ticipating  players  (the  users  and  the  system)  thereby  leading  to  good  mechanism  de¬ 
sign  that  elicits  cooperation  from  users  as  a  natural  process.  The  reader  is  referred  to 
18,  17]  for  a  more  detailed  exposition  on  game  theory.  The  specifics  of  the  games 
used  in  our  model  are  described  in  the  appendix. 

3.2  Types  of  Users 

The  threat  posed  by  legitimate  u.sers  in  an  organization  has  appropriately  been 
labeled  as  “The  Enemy  Within"  119]  in  a  recent  survey  by  McAfee  Corpo¬ 
ration  (http://www.mcafee.com).  We  can  divide  the  user  broadly  into  two  different 
categories: 

•  Type  1:  A  Legitimate  User  -  This  category  of  users  includes  legitimate  and  autho¬ 
rized  users  of  the  system.  These  users  log  into  the  system  and  execute  workflow 
processes  according  to  their  roles.  According  to  the  McAfee  Survey  [19],  such 


106 


V.  Sankaranarayanan,  S.  Upadhyaya,  and  K.  Kwiat 


users  are  varyingly  labeled  as  “The  Security  Softie”,  “The  Gadget  Geek”  or  “The 
Squatter.”  While  they  do  not  have  any  stated  intentions  to  disrupt  the 
system,  their  actions  nonetheless  endanger  the  system.  For  example,  these  users 
do  not  have  any  idea  of  the  threat  model  of  the  system  and  hence,  may  not 
implement  the  best  practices  suggested  by  the  organization. 

•  Type  II:  A  Legitimate,  but  Malicious  User  -  Similar  to  Type  I  users,  users  in  this 
category  are  legitimate,  i.e.,  they  possess  authorized  credentials  to  log  into  the 
system.  However,  their  goal  is  to  disrupt  the  system,  either  through  a  self  in¬ 
flicted  cataclysmic  system  compromise  or  through  slow  poisoning  attacks  like 
leaking  confidential  information  about  the  organization  to  its  competitors. 
According  to  the  Survey  [19],  such  users  are  labeled  as  ‘The  Saboteur,” 

Let  us  first  examine  the  challenges  that  researchers  and  designers  face  when  dealing 
with  the  weak  human  factor.  In  any  system,  users  perform  actions  towards  fulfilling 
their  roles.  The  notion  of  actions  is  an  abstract  one  that  can  be  generalized  to  most,  if 
not  all,  sy.stems.  Actions  can  be  split  in  the  following  manner. 

•  Action  Type  /  -  the  fundamental  user  actions  required  for  the  workflow:  These 
fundamental  actions  are  defined  by  the  user’s  role  in  the  environment.  For  exam¬ 
ple,  a  graphics  designer  will  need  to  use  some  photo/video  editing  software.  In 
addition,  a  device  like  a  tablet  may  need  to  be  connected  to  the  computer  via  the 
USB  interface  for  rendering  hand  sketches. 

•  Action  Type  II  -  Ancillary  actions  required  for  the  fundamental  actions  to  work: 
For  example,  exploring  the  hard  drive  is  a  prerequisite  for  most  job  roles.  In  addi¬ 
tion,  connecting  USB  devices,  burning  images  onto  a  CD  may  be  in  this  list  for  a 
graphics  designer. 

•  Action  Type  III  -  These  are  actions  that  arc  not  predefined  like  Action  types  I  and 
II.  These  actions  arc  the  ones  that  users  normally  execute  without  any  restric¬ 
tions,  since  they  do  not  fall  under  the  purview  of  ‘re.stricted  objects.’  They  might 
have  the  potential  to  disrupt  the  working  of  the  system,  or  may  be  inimical  to  the 
individual.  Examples  of  such  actions  include  clicking  on  a  potential  phishing  link 
in  an  un-trusted/unsigned  email. 

For  those  actions  that  are  relevant  to  the  security  of  the  system,  there  exists  an  easy  or 
an  efficient  manner  of  performing  them.  For  example,  choosing  a  password  is  an  (one 
time)  action  that  users  have  to  perform  when  registering  into  the  system.  The  easy 
way  is  to  choose  a  password  that  is  easy  to  remember  (and  hence  easy  to  gue.ss/crack). 
The  efficient  way,  on  the  other  hand,  is  to  choose  a  complex  password  that  is  tough  to 
remember.  Similar  is  the  situation  with  security  updates;  it  is  easy  to  ignore  them 
while  it  is  efficient  to  update  the  system.  For  reasons  that  are  mostly  context  and  do¬ 
main  specific,  users  prefer  to  perform  only  the  easy  action,  and  not  the  efficient  one. 
Viewing  the  interaction  between  the  user  and  the  system  as  a  set  of  easy  vs.  efficient 
actions,  where  the  easy  action  is  most  often  the  inefficient  one,  provides  us  a  global 
view  to  look  into  this  issue.  Thus  the  main  challenge  for  human  centered  security 
schemes  is  to  ensure  that  users  perform  the  efficient  action  with  awareness  of  the 
consequences  of  their  actions.  Viewing  these  actions  under  the  three  prisms  provides 
us  one  methodology  to  address  the  human  factor  related  security  issues. 


QoS-T:  QoS  Throttling  to  Elicit  User  Cooperution  in  Computer  Systems 


107 


3.3  Process  Flow 

The  flow  of  control  for  the  QoS  throttling  model  is  shown  in  Figure  1 .  We  First  start 
with  the  security  meehanisin  and  derive  its  requirements.  Towards  this,  we  may  use 
the  systems'  be.st  practices  as  a  guide.  Concurrently,  we  define  the  user’s  workflow 
process.  These  two  steps  are  one-time  processes  which  ensure  that  (a)  at  no  cost  is  the 
users  workflow  adversely  affected  and  (b)  the  Monitoring  agent  is  aware  of  the  secu¬ 
rity  .subsystem’s  expectations.  The  user's  session  then  proceeds  as  usual,  where  every 
user  action  is  first  filtered  by  the  security  policies  in  the  system.  These  filtered  actions 
arc  monitored  by  the  monitoring  agent,  which  decides  if  the  actions  are  in  confor¬ 
mance  with  the  .security  subsystems  requirements.  If  the  user  is  cooperative,  he  is 
rewarded  with  a  gradual  increase  in  the  QoS.  If  the  user  is  not  cooperative,  a  feedback 
is  given  (similar  to  ‘Install  Updates’  dialog  box  in  the  windows  environment,  etc.) 
with  a  request  to  cooperate.  If  the  user  still  blatantly  refuses  to  cooperate,  the  gradual 
application  and  context  specific  QoS  throttling  is  initiated. 


Fig.  I.  Control  Flow 

3.4  QoS-T  Model  1:  Exponential  Back-Off 

Given  a  singleton  proce.ss,  we  discuss  a  simplistic  exponential  back-olT  model  to  evaluate 
a  decreasing  time  delay.  This  time  delay  could  be  used  as  a  parameter  to  the  artificial 
sleep  statements  (or  any  other  context  specific  delay).  This  model  is  useful  in  situations 
where  the  sy.stem  (and  its  threat  model)  is  simple  enough  with  an  automated  meehaiiisni 
that  classifies  the  user.  We  define  the  QoS  throttle  through  a  simple  equation: 

fi.x)  =  {\ I.veiail  (1) 

where  v  is  the  quantitative  input  that  grades  the  users  classification  and  f(x)  the  time 
delay  (in  some  appropriate  time  units)  that  is  impo.sed  by  the  system.  The  value  v  can 
be  the  trust  level  of  the  user  in  the  system,  a  real  number  between  0  and  I,  where  0 
represents  a  untrustworthy  user  and  1  a  trustworthy  user.  For  those  .systems  that  have 


108 


V.  Sankaranarayanan,  S.  Upadhyaya,  and  K.  Kwial 


a  mechanism  to  detect  their  security  level  (or  trust  level  of  users),  the  exponential 
back-off  model  may  be  used.  For  example,  the  Compensatory^  Trust  Moclel\2S]  is  an 
automated  trust  evaluation  mechanism  specifically  designed  for  users  in  an  authenti¬ 
cated  systeni.The  exponential  back-off  model  has  the  advantage  of  simplicity,  clear 
intuition  and  an  easy  translation  to  an  implementation.  Also,  the  intuition  behind  it 
may  be  changed  depending  on  the  system  (and  the  users)  to  derive  other  ancillary 
models  (different  distributions)  that  may  perform  better  for  particular  systems. 

3.5  QoS-T  Mode]  2:  Game  Theoretic  Approach 

Given  a  workflow  process  with  multiple  sub-processes,  we  present  a  game  theoretic 
model  that  can  be  used  to  gradually  reduce  the  QoS  of  a  sub-proccss  and  tag  the  user 
as  proceeding  gradually  from  a  non-cooperative  user  to  a  malicious  user  during  the 
workflow. 


^  iii.iMlnr  .1.  .  \kK‘ 


•- 


^  i 

1^'"'  i 

1^'  i 

r  ^ 

► 

Sub 

Sub 

Sub 

Sub 

Sub 

Sub 

Proces.s  1 

Process  2 

Process  3 

PrtKcss  4 

Process.. 

PrtK'Css  n 

— z — 


f 


Timeline 


Fig.  2.  Modeling  the  Workflow  and  constituent  Sub-Proecsses 

We  leverage  on  two  well-studied  problems  of  game  theory  -  the  two  player  diffe¬ 
rential  game  of  “Guarding  a  Territory”  [12]  and  the  “Dolichobrachi.stochrone”  [llj. 
The  entire  timeline  of  the  users’  actions  in  a  session  is  split  into  many  fragments. 
Each  fragment  represents  some  sub-process  in  the  workflow  (e.g.,  the  execution  of  a 
process/application).  The  process  of  changing  the  QoS  is  equivalent  to  varying  the 
ratc/difficulty  with  which  the  user  can  access  the  resource  or  complete  execution  of 
the  process.  The  Dolichobrachistochrone  game  models  each  fragments  of  the 
timeline,  i.e.,  the  re  source -access  event.  After  every  resource  access,  we  need  to  de¬ 
termine  the  security  .state  of  the  system  (or  in  other  words,  classify  the  user  and  hence 
infer  the  .security  state  of  the  system).  The  second  differential  game  of  “Guarding 
the  territory”  models  the  security  state  of  the  system.  This  game  also  models  the 
point  where  the  noncompUant  user  becomes  a  malicious  user.  These  two  games  are 
chained  to  provide  proper  feedback  so  that  the  output  of  the  Dolichobrachistochrone 
game  is  the  input  to  “Guarding  the  territory.”  This  process  is  shown  in  Figure  2.  The 


QoS-T:  QoS  Throtiling  to  Elicit  User  Cooperation  in  Computer  Systems  109 


Dolichobraehistoehrone  game  is  also  called  a  supergame,  within  which  repetitions  of 
the  smaller  ‘guarding  the  territory’  game  is  played.  The  game-theoretie  model  is  more 
involved,  with  a  greater  emphasis  on  .sy.stem  specifies  and  an  inbuilt  mechanism  for 
u.ser  classification.  A  detailed  description  of  these  games  is  given  in  the  appendix. 

The  control  variables  of  the  two  games  are  chosen  depending  on  the  system  under 
consideration  and  the  security  mechanism.  The  final  step  in  the  model  is  to  chain  the 
two  games  so  that  the  output  of  the  Dolichobraehistoehrone  is  the  input  of  the 
“Guarding  the  territory”  game.  The  payoff  of  the  Dolichobraehistoehrone  is  .vfT'j, 
which  is  the  distance  traveled  by  the  particle  P.  The  player  ii  in  the  “Guarding  the 
territory”  game  can  now  travel  a  distance  x{T)  towards  the  region  Qby  a  predeter¬ 
mined  angle. If  the  playerwere  to  reach  the  region  before  the  session  is  over,  the  secu¬ 
rity  state  of  the  system  can  be  changed  and  appropriate  action  can  be  initiated. 


4  Proof-of-Concept  Illustration 

In  this  section,  we  introduce  a  simplified,  yet  generalized  scenario  encountered  by 
network  administrators  in  most  IT  organizations.  We  then  derive  the  threat  model 
from  a  basic  social  engineering  attack  and  present  the  application  of  the  game  theoret¬ 
ic  QoS-T  model  to  this  problem,  illustrating  its  practical  utility. 

4.1  Threat  Scenario 

An  experiment  [26|  was  conducted  by  “The  Training  Camp”  where  commuters  in 
I.ondon  were  offered  free  CD’s  with  special  Valentine  Day's  promotion.  Despite  a 
clear  warning,  most  employees  apparently  inserted  the  CD  and  ran  the  program 
(which  displayed  a  warning  against  such  actions).  In  a  similar  vein,  another  experi¬ 
ment  125]  (akin  to  a  social  engineering  penetration  testing)  revealed  that  free  USB 
disks  which  were  ‘discovered'  by  employees  were  blindly  inserted  into  computers, 
thereby  triggering  the  execution  of  a  (potentially  malicious)  program. 

The  situation  is  similar  with  the  case  of  downloading  and  installing  programs  from 
the  Internet.  For  example,  consider  the  process  of  downloading  and  executing  a  tile 
from  the  Internet.  The  user  launches  a  browser,  connects  to  the  web  site  that  hosts  the 
file  (or  is  redirected  to  the  site),  downloads  the  executable  and  then  executes  it.  As¬ 
sume  that  the  systems'  best  practices  state  that  unless  a  downloaded  executable  is 

signed  by  a  trusted  publisher,  it  is  preferable  to  not  execute  it.  This  typical  sequence  of 

operations  initiated  by  the  user  can  be  broken  down  into  sub-processes,  each  of  which 
plays  a  role  in  the  complete  operation.  This  example  brings  out  the  following  points: 

(a)  The  process  of  downloading  and  running  untrusted  executables  is  a  manifestation 
of  the  weak  human  factor. 

(b)  This  process  is  not  part  of  the  user's  workflow  in  the  organization. 

(c)  The  entire  process  can  be  split  into  a  number  of  sub-proce.sses: 

a.  Browsing  to  an  untrusted  zone 

b.  Initiating  a  File  download 

c.  Executing  the  file 

For  the  .sake  of  illustration,  we  assume  that  executing  untrusted  executables  in  the 
current  user  context  is  not  completely  prohibited,  but  is  undesirable.With  this 


110 


V.  Sankaranarayanan,  S.  Upadhyaya,  and  K.  Kwial 


scenario,  let  us  explore  how  the  new  paradigm  can  be  applied.  We  have  two  levels 
here.  First  we  want  to  throttle  the  service  quality,  but  not  affect  the  user's  legitimate 
workflow.  Secondly,  we  would  like  to  use  the  additional  CPU  cycles  gained  to  per¬ 
form  some  useful  work,  in  terms  of  increasing  system  performance  and  security.  To 
degrade  the  application  level  QoS,  the  browser  could  be  slowed  down  in  a  number  of 
ways  (inserting  artificial  sleep  statements  in  the  browser  process,  slowing  down  the 
network  bandwidth  available  to  the  browser  process,  etc.).  This  degradation  is  in¬ 
itiated  only  after  a  proper  feedback  is  provided  to  the  user,  warning  him  to  refrain 
from  the  actions.  This  degradation  by  no  means  affects  the  system  performance  (if 
there  are  any  background  processes  running)  and  provides  the  developer  an  opportu¬ 
nity  to  insert  (for  example)  security  logging  statements,  like  logging  the  site  where  the 
browser  navigated  to,  the  plug-ins  activated  by  the  site,  etc.  After  the  application  has 
been  downloaded,  the  u.ser  could  be  given  an  option  to  run  the  application  inside  a 
sandbox  with  restricted  permissions,  or  run  the  application  with  less  than  normal 
privileges.  Additionally,  the  application  level  QoS  could  be  degraded  by  in.serting 
artificial  sleep  statements  in  an  approach  similar  to  [30]. 

4.2  Threat  Mode!:  Multiple  Untrusted  Applications  Execution 

In  this  threat  model,  wc  envisage  a  scenario  where  users  are  required  to  specify  in 
their  workflow  patterns  the  most  commonly  u.scd  applications  in  a  typical  session. 
This  represents  a  .secure  and  controlled  environment  such  as  the  military  operations  or 
a  secure  and  compartmentalized  job  in  an  industry.  As  mentioned  in  Figure  1,  specify¬ 
ing  the  workflow  is  a  onetime  process.  If  the  applications  users  execute  fall  within  the 
purview  of  the  workflow,  they  are  accorded  a  high  application  level  QoS.  As  they 
execute  applications  outside  the  workflow  specification  (possibly  due  to  malicious 
intent  or  due  to  an  impersonation  attack),  the  QoS  is  gradually  reduced.  When  the 
number  of  applications  outside  the  workflow  specification  exceeds  a  limit  defined  by 
the  users  trust  level,  the  u.ser  is  declared  malicious.  This  clearly  illustrates  the  game 
theoretic  model;  one  game  is  u.sed  to  determine  the  QoS  and  the  other  is  used  to  de¬ 
termine  when  the  non-cooperative  user  becomes  a  malicious  user. 

The  QoS  degradation  for  this  threat  modelis  similar  to  the  concept  of  penalizing 
specific  system  processes,  which  is  the  approach  by  Somayaji  and  Forrest  [24],  where 
an  exponentially  increasing  delay  (artificial  sleep  statements)  was  introduced  between 
.sy.stem  calls. 

The  final  step  is  translating  the  model  to  the  actual  timing  details.  We  fixed  the  dis¬ 
tance  of  the  user  from  the  territory  12  (Figure  6  in  the  appendix)  to  be  the  maximum 
number  of  unauthorized  applications  for  a  standard  user  (.xv,  =  7  units  in  Eq.  5  in  the 
appendix).  As  we  shall  see,  users  arc  tagged  malicious  if  their  trust  level  is  low  or 
never  tagged  as  malicious  if  their  trust  level  is  high,  even  if  they  exceed  the  maximum 
value  set  for  the  standard  user.  The  users'  trustworthiness  (Ut)  was  varied  between  0 
and  1  (0  <Ut^  1).  rw  in  Eq.  5  in  the  appendix  was  set  to  1 .  Finally  the  delay  time  (T) 
in  the  Dolichobrachistochrone  game  is  inversely  proportional  to  Ut  (T  =  a  /  Ut).  One 
time  unit  is  set  to  10  milliseconds  for  this  plug-in.  These  assignments  finally  reduced 
the  model  to  evaluation  of  the  Dolichobrachistochrone  game  Eq.  5  in  the  appendix, 
which  now  reads  as  follows: 


QoS-T;  QoS  Throttling  to  Elicit  User  Coopcnition  in  Computer  Systems* 


MT)  =  x' 


T  1 

- +  7  —  sin(7') 

2  2 


(2) 


The  variable  a  (in  T  =  a  /  U|)  for  each  action  was  set  and  subsequently  increased 
according  to  Table  1.  Subsequent  values  ot\v„  were  assigned  to  the  previous  values  of 
x{T)  as  calculated  by  Eq.  5  in  the  appendix.  We  varied  the  users'  trust  level  and  plot¬ 
ted  the  time  delay  as  well  as  the  number  of  unauthorized  applications  it  would  take  for 
the  user  to  execute  to  penetrate  the  territory.  The  resulting  action  by  the  security  sub¬ 
system  depends  on  the  domain.  The  plug-in  raised  an  administrative  alert  when  the 
territory  was  reached  by  the  user. 


Table  1.  Values*  of  \Jj  and  corresponding  a 


Trust  Level  (L’t) 

Alpha  (a  in  T  =  a  /  Uj ) 

Figure 

0.1 

Initially  set  to  0. 1  and  increased  by  0. 1 

3.a 

0.3 

Initially  set  to  0.1  and  increased  by  0.1 

3.b 

0.7 

Initially  set  to  0.15  and  increased  by  0. 15 

4.  a 

1.0 

Initially  set  to  0.2  and  increased  by  0.2 

4.b 

Figure  3  shows  the  time  delay  for  low  values  of  user  trust  levels  and  the  number  of 
actions  (or  equivalently,  the  number  of  untrusted  applieations  exeeuted)  it  takes  for 
the  users  to  transit  from  a  non-cooperative  user  to  a  malicious*  user. 

QoS  Degradation  for  Ut  =  0.1:  Figure  3. a  shows  the  time  delay  rate  (T)  and  the 
progress  of  the  user  towards  the  territory  (x(T)  )  for  a  trust  level  of  0.1.  Since  the  users 
trust  level  is  very  low,  the  user  rapidly  progresses  towards  the  territory,  indicative  of 
his  low  trust  level:  he  is  tagged  as  malieious  (at  the  point  where  a(  /3  crosses  y  =  0) 
by  the  fifth  unauthorized  application. 

QoS  Degradation  for  Uj  =  0.3:  Contrast  this  with  Figure  3.b,  which  shows  the  same 
plot  lor  a  trust  level  of  0.3.  The  time  delay  rate  is  still  the  same  (a  is  the  same),  but 
the  user  approaches  the  territory  slowly,  indicative  of  an  increased  trust  level,  and  is 
tagged  as  malicious  only  by  the  1 1‘^  unauthorized  application,  as  opposed  to  the  fifth 
one  in  Figure  3. a.  Figure  4  shows  the  time  delay  for  high  values  of  user  trust  levels.  In 
this  ca.se,  we  note  that  the  user  does  not  actually  penetrate  the  territory,  indicative  of 
the  high  trust  level.  Instead,  there  is  a  gradual  oscillatory  movement  due  to  the  sinu¬ 
soidal  component  in  Eq.  5  in  the  appendix. 

QoS  Degradation  for  Uy  =  0.7:  As  illustrated  in  Figure  4. a,  the  user  initially  ap¬ 
proaches  the  territory  since  the  session  scope  is  not  complied  with.  Due  to  the  sinu¬ 
soidal  component  in  Eq.  5  in  the  appendix,  the  initial  approach  towards  the  territory  is 
replaced  with  a  movement  away  from  the  territory.  We  interpret  this  sinusoidal  oscil¬ 
lation  as  follows:  This  user  is  not  deemed  malieious  at  any  point  of  time,  due  to  his 
high  trust  level.  But,  we  also  set  a  lower  time  delay  rate  as*  the  system  expects*  him  to 
be  cooperative  and  .security  conscious*  due  to  his*  high  trust  level.  For  example,  the 
time  delay  for  this  user  at  the  end  of  the  1  unauthorized  application  action  is  2.35 
time  units  (23.5  milliseconds)  while  the  time  delay  for  the  user  in  Figure  4.b  (Uj  = 
0.3)  is  3.66  time  units  (36.6  milli.seconds). 


112 


V.  Sankaranarayanan,  S.  Upadhyaya,  and  K.  Kwiat 


Fig.  3.  QoS  degradation  for  low  values  of  user  trust  level 


Fig.  4.  QoS  degradation  for  high  values  of  user  trust  level 

QoS  Degradation  for  Ut  =  1:  Here  we  illustrate  a  situation  where  the  user  is  com¬ 
pletely  trustworthy.  In  Figure  6.b,  the  user  does  not  even  approach  the  territory  (in¬ 
deed,  he  moves  away  from  it)  since  he  is  completely  trustworthy.  However,  the  time 
delay  is  made  higher  (0.2  units).  The  time  delay  at  the  end  of  the  1 1'^  action  for  this 
user  is  4.4  units  (44  milliseconds).  Such  progressively  high  time  delays  virtually 
render  the  unauthorized  applications  inoperable  (for  the  user).  Note  that  the  act  of 
setting  higher  time  delays  for  highly  trusted  users  is  intuitive  and  logical,  since  trusted 
users  in  mission  critical  areas  are  expected  to  be  aware  of  the  security  subsystem  and 
hence,  cooperative.  Their  high  trust  levels  ensure  that  they  are  not  tagged  as  malicious 
at  any  point  in  time,  a  privilege  they  earn  at  the  cost  of  actively  cooperating  with  the 
security  subsystem.  A  simple  scheme  to  ensure  that  users  consistently  approach  the 
territory  as  time  progresses  is  to  provide  a  feedback  loop  and  lower  their  trust  level 
progressively.  This  aspect,  however,  is  out  of  scope  of  this  paper,  for  trust  assignment 
and  management  is  another  research  area  by  itself. 

5  Conclusion  and  Future  Work 

Farmer’s  Law  states,  ‘The  security  of  a  computer  system  degrades  in  direct  propor¬ 
tion  to  the  amount  of  use  the  system  receives.”  Farmer  self-proclaimed  this  as  his  law 


QoS-T:  QoS  Throttling  to  Elicit  User  Cooperation  in  Computer  Systems  1 13 


in  a  survey  on  the  security  of  Key  Internet  Hosts,  highlighting  the  fact  that  users  are 
often  the  greatest  risk  to  system  security.  In  a  similar  vein,  Schneier[23]  states  that  the 
very  interaction  between  humans  and  systems  forms  the  greatest  risk  to  IT  systems. 
For  specific  threat  models  (like  weak  passwords,  phishing,  social  engineering,  etc.), 
there  are  specific  solutions.  But  the  greater  problem  of  involving  the  users  in  the 
security  loop  has  remained  unaddressed  so  far.  The  reason  for  this  lies  in  the  miscon¬ 
ception  that  QoS  and  .security  arc  orthogonally  achievable  goals.  In  highly-critical 
information  systems  the  need  to  appeal  to  thc.se  u.sers  and  elicit  their  cooperation  is 
paramount.  Trading  application  level  QoS  in  terms  of  transparency/easc  of  usage  for 
user  involvement  with  the  security  mechanisms  in  place  is  justified  and  in  fact,  neces¬ 
sary.  The  solution  advocated  in  this  paper  is  a  graceful  degradation  of  the  rendered 
application  specific  QoS  that  the  user  perceives  in  the  face  of  a  conspicuous  lack  of 
cooperation.  For  example,  consider  the  case  of  data  breaches  in  corporate  environ¬ 
ments;  a  recent  article  in  the  Wall  Street  Journal  states  (32)  states  that  data  breaches 
are  on  the  rise;  most  often,  the  data  breaches  are  not  detected  immediately  and  oF 
fenders  are  rarely,  if  ever,  held  accountable.  The  QoS-T  framework  proposed  in  this 
paper  could  be  viewed  as  a  contractual  requirement  by  the  customer  of  businesses;  it 
may  be  viewed  as  a  mechanism  to  correct  complacency  by  corporate  members'  in- 
situ.  Any  complacency  by  businesses  (and  their  employees)  in  applying  appropriate 
security  measures  towards  data  protection  would  lead  to  a  lowering  of  QoS,  which  in 
turn,  would  directly  affect  productivity  (and  hence,  would  affect  the  “sacred"  bottom- 
line).  Thus  conformance  to  security  measures  will  not  be  limited  to  merely  a  moral 
code  but  enforced  with  a  monetary  means. The  application  of  game  theoretic  models 
to  practical  scenarios  will  lead  us  into  interesting  problems  |181  which  have  to  be 
re.solved  in  a  context  specific  manner.  Although  it  is  debatable  if  such  a  model  will 
really  ensure  user  cooperation,  we  hope  that  in  the  same  manner  a  user  types  his 
pas.sword  carefully  the  second  time  to  avoid  typographical  mistakes  (and  hcncc  addi¬ 
tional  delays  in  password  system.s),  the  implementation  of  this  model  will  encourage 
the  user  to  cooperate  and  actively  participate  with  the  security  subsystem. 


References 

1 .  DoD  Directive  85(X).  I ,  Information  Assurance,  1 A  (2002) 

2.  Adams,  A.,  Sassc,  M.A.:  Users  are  not  the  enemy.  Commun.  ACM  42,  40-46  (1999) 

3.  Bro.stoff,  S.,  Sasse,  M.A.:  Safe  and  Sound:  a  Safety-Critical  Approach  to  Security.  In:  Pro¬ 
ceedings  of  the  NN  orkshop  on  New  security  paradigms.  ACM  Press*,  Cloudcroft  (2001) 

4.  Brostofi*,  S.,  Sasse,  M.A.:  Ten  strikes  and  you're  out:  Increasing  the  number  of  login 
attempts  can  improve  passwt)rd  usability.  In:  Workshop  on  Human-Computer  Interaction 
and  Security  Systems,  Ft.  Lauderdale,  FL,  USA  (2003) 

5.  CERT.  CERT^’  Advisory  CA-20()0-04  Love  Letter  Worm  (20<)5), 
http : / /WWW. cert . org /advisories /CA^ 2 000-04 . html 

6.  Hinds.  C.,  Ekwiiemc,  C.:  Increasing  security  and  usability  of  computer  systems  with 
graphical  passwords.  In:  Proceedings  of  the  45th  annual  southeast  regional  conference. 
ACM  Press,  Winston-Salem  (2007) 

7  Levin,  D.:  Punishment  In  Selfish  Wireless  Networks:  A  Game  Theoretic  Analysis.  In:  Pro¬ 
ceedings  of  Economics  of  Networked  Systems.  NetECON  Ann  Arbour,  Michigan  (2006) 

8.  Davis,  M.:  Game  Theory:  A  nontechnical  introduction.  Dover,  New  York  ( 1 983) 


114 


V.  Sankaranarayanan,  S.  Upadhyaya,  and  K.  Kwial 


9.  Dourish,  P.,  Grintcr,  R.,  Dalai,  B.,  Flor,  J.D.,  Joseph,  M.:  Security  Dny-to-Day:  User  Strat¬ 
egics  for  Managing  Security  as  an  Everyday,  Practical  Problem,  Institute  for  Software  Re¬ 
search,  University  of  California,  Irvine  (2003) 

10.  Bergadano,  F.,  Gunetti,  D.,  Picardi,  C.:  User  authentication  through  keystroke  dynamics. 
ACM  Trans.  Inf.  Syst.  Secur.  5,  367-397  (2002) 

1 1.  Freedman,  A.:  The  Dolichobrachistochrone  Game,  Differential  Games,  107p.  John  Wiley 
&  Sons,  Inc.,  Chichester  (1971 ) 

12.  Freedman,  A.:  Guarding  a  Territory,  Differential  Games,  29p.  John  Wiley  &  Sons,  Inc., 
Chichester  (1971) 

13.  Howard,  M.:  Browsing  the  Web  and  Reading  E-mail  Safely  as  an  Administrator.  In: 
MSDN  (2004) 

14.  Irvine,  C.,  Levin,  T.,  Sypropoulou,  E.,  Allen,  B.:  Security  as  a  Dimension  of  Quality  of 
Service  in  Active  Service  Environments.  In:  International  Workshop  on  Active  Middle¬ 
ware  Services,  San  Francisco,  CA  (2(X)I ) 

15.  Irvine,  C.,  Levin,  T.:  Quality  of  Security  Service.  In:  Proceedings  of  the  New  Security  Pa¬ 
radigms  Workshop.  ACM  Press,  Ballycotton  (2000) 

16.  Linn,  J.:  Generic  Security  Service  Application  Program  Interface,  IETF  Request  for  Com¬ 
ments  (1993) 

17.  Luce,  R.D.,  Raiffa,  H.:  Games  and  Decisions.  Dover,  New  York  (1989) 

18.  Mahajan,  R.,  Rodrig,  M.,  Wetherall,  D.,  Zahorjan,  J.:  Experiences  applying  game  theory  to 
system  design.  In:  Proceedings  of  the  ACM  SIGCOMM  workshop  on  Practice  and  Theory 
of  Incentives  in  Networked  Systems.  ACM  Press,  Portland  (2004) 

19.  McAfeeCorporation,  The  Enemy  Within  (2005), 

http; / /WWW. theregister .co.uk/2005/12/15/ 
mcaf ee_internal_security_survey/ 

20.  Liu,  P.,  Zang,  W.,  Yu,  M.:  Incentive-based  modeling  and  inference  of  attacker  intent, 
objectives,  and  .strategies.  ACM  Trans.  Inf.  Syst.  Secur.  8,  78-1 18  (2(K)5) 

21 .  Sankaranarayanan,  V.,  Chandresekaran,  M.,  Upadhyaya,  S.:  Position:  The  U.ser  is  the  Enemy. 
In:  Proceedings  of  the  New  Security  Paradigms  Workshop,  New  Hampshire,  USA  (2(X)7) 

22.  Sasse,  M.A.:  Computer  Security:  Anatomy  of  a  Usability  Disaster,  and  a  Plan  for  Recov¬ 
ery.  In:  CHI  2003  Workshop  on  Human-Computer  Interaction  and  Security  Systems,  Ft. 
Lauderdale,  FL,  USA  (2003) 

23.  Schneier,  B.:  Secrets  and  Lies:  Digital  Security  in  a  Networked  World.  John  Wiley  & 
Sons,  Inc.,  New  York  (2000) 

24.  Somayaji,  A.,  Forrest,  S.:  Automated  Response  Using  System-Call  Delays.  In:  Usenix 
Security  Symposium  (2000) 

25.  Stasiukonis,  S.:  Social  Engineering,  the  USB  Way.  Dark  Reading,  Secure  Network  Tech¬ 
nologies  Inc.  (2006),  http:  / /www. darkreading  .  com/document . asp?doc_id 
=95556&WT . svl=columnl_l 

26.  Sturgeon,  W.:  Proof:  Employees  don’t  care  about  security,  Silicon.com  (2006), 
http: //software. silicon , com/security/ 0 , 39024655, 

39156503, 00. htm 

27.  Tzur  R.:  Sandbox  IE  (2006),  http:  / /www,  sandboxie  .  com/ 

28.  Sankaranarayanan,  V.,  Upadhyaya,  S.:  A  Trust  Assignment  Model  based  on  Alternate  Ac¬ 
tions  Payoff.  In:  Stolen,  K.,  Winshorough,  W.H.,  Martinelli,  F.,  Massacci,  F.  (eds.)  iTrust 
2006.  LNCS,  vol.  3986,  pp.  339-353.  Springer,  Heidelberg  (2006) 

29.  Weirich,  D,,  Sasse,  M.A.:  Pretty  good  persuasion:  a  first  step  towards  effective  password 
security  in  the  real  world.  In:  Proceedings  of  New  Security  Paradigms  Workshop.  ACM 
Press,  Cloudcroft  (2001 ) 


QoS-T:  QoS  Throttling  to  Elicit  User  Cooperation  in  Computer  Systems 


115 


30.  Whitten,  A.,  Tygar,  J.D.:  Safe  staging  for  computer  security.  In:  HCl  and  Security  Systems 
Workshop,  CHI,  Ft.  Lauderdale,  Florida  (2003) 

31.  Xia,  H.,  Brustoloni.  J.C.:  Hardening  Web  browsers  against  man-in-the-middle  and  eave¬ 
sdropping  attacks.  In:  Proceedings  of  the  14th  international  conference  on  World  Wide 
Web.  ACM  Press,  Chiba  (2005) 

32.  Wall  Street  Journal:  Data  Breaches  Surpass  2007  Level,  Bui  Businesses  Rarely  Are  Pena- 
li/cd  (2008) 


Appendix 

Dolichobrachistochrone:  The  Dolichobraehistoehronc  game  is  a  two  player  differen¬ 
tial  game  where  a  point  mass  P  in  a  uniform  gravitational  field  is  constrained  to  move 
without  friction  along  a  given  curve  Y-  illustrated  in  Figure  5.  For  equation 
convenience,  the  gravitational  field  is  in  the  direction  of  the  positive  y  axis.  The  objec¬ 
tive  of  P  is  to  choose  a  curve  so  that  it  reaches  the  line  x  =  0  (the  y-axis)  in  minimum 
time.  The  ptayer  E  has  an  objective  of  trying  to  slow  P  as  much  as  possible.  E  has  a 
force  Vjf  that  can  be  applied  to  slow  P  from  reaching  x  =  0.  The  conditions  of  the  game 
dictate  that  the  particle  P  will  definitely  reach  the  y  axis  in  a  finite  time.  P's  objective  is 
to  minimize  its  arrival  time  to  x  =  0.  E's  objective  is  to  maximize  the  time  for  P  to 
reach  x  =  0.  In  our  model,  P  represents  the  user  and  E  the  security  mechanism.  For 
every  access  to  a  resource,  the  user  attempts  to  minimize  his  time  of  access.  This  trans¬ 
lates  to  P  minimizing  its  arrival  time  to  x  =  0.  The  security  mechanism  (E  in  the  game) 
attempts  to  vary  the  rendered  QoS  according  to  the  force  V|/.  Figure  5. a  shows  the  par¬ 
ticle  P  falling  through  the  curve  ;{owards  the  y  axis  (x  =  0).  Figure  5.b  shows  the  play¬ 
er  E  with  an  opposing  force  Xj/.  The  equations  of  motion  for  the  particle  P  are  described 
in  1 1  1  ].  The  payoff  of  the  game  is  the  distance  traveled  by  the  particle  P. 

PHl/)  =  x(T)  (3) 

where  T  is  the  time  for  P  to  reach  x  =  0  and  \|/  is  a  positive  constant  (\|/  =  EB  =  EC  in 
Figure  5.b). 


y 

A 


#  P 


->x 


(a) 


A 


>C 


•A 


¥ 


y 

B 


¥ 


¥ 


EB  =  EC 


-►X 


(b) 


Hg,  5,  Dolichobrachistochrone  Game 


116  V.  Sankaranarayanan,  S.  Upadhyaya,  and  K.  Kwiat 


The  optimal  trajectory  for  the  particle  P  is  given  by: 


(4) 


x(l)  =  .v„  - 


I  +  cot  + 


1 


where  -1  <  to  <  1.  The  reader  is  referred  to  [11]  for  more  details.  The  Value  of  the 
game  (which  is  the  payoff  under  optimal  conditions)  is  x(T)  that  is  evaluated  from  Eq. 
5.  Hence  the  security  mechanism  can  choose  T  (which  is  the  time  (delay)  taken  by  the 
user  to  access  the  resource)  or  equivalently,  the  force  \\f  based  on  the  system  parame¬ 
ters  like  the  value  of  the  resource  being  pursued  (Ry),  the  trustworthiness  of  the  user 
(Ux),  etc. 

Guarding  the  Territory:  This  game  repre.sents  a  model  in  which  a  player  v  is  guard¬ 
ing  a  territory  Qagainst  an  invasion  by  the  player  u,  a.sshown  in  Figure  6.  The  motion 
of  u  and  v  are  described  by  differential  equations  [12].  The  initial  conditions  are  set  as 
x(0)  =  A  and  y(0)  =  B.  As  illustrated  in  Figure  4,  player  v,  the  Security  mechanism,  is 
located  at  B,  while  player  u,  the  user,  is  located  at  A.  In  Figure  6,  the  players  are 
initially  separated  by  a  di.stance  AB.  C  is  the  mid-point  of  segment  AB.  CY  is  per¬ 
pendicular  to  AB,  with  Y  being  the  nearest  point  to  the  region  Qsueh  that  Y*Z*  is 
perpendicular  to  Y  C.  Z  is  the  point  on  the  region  Q  that  is  nearest  to  the  line  seg¬ 
ment  CY*.  We  denote  the  distance  of  any  point  x  on  the  plane  to  the  territory  Q  as 
f/(x,Q).  Each  cooperative  action  by  the  user  symbolically  takes  him  farther  away  from 
the  region  Q.  The  model  expects  the  security  mechani.sm  to  provide  a  feedback  on  the 
nature  of  the  user's  action  and  a  quantitative  measure  of  the  same  (which  is  obtained, 
in  this  case,  from  the  Doliehobrachistochrone  game). 


r 


Y‘ 


\ 


\ 


\ 


\  7’ 


U 


A 


•  B'  ' 


•  B 


B 


Fig.  6.  Guarding  the  lerriiory 


QoS-T:  QoS  Throttling  to  Elicit  User  Cooperation  in  Computer  Systems 


1 17 


This  measure  effectively  takes  the  user  towards  the  region  12  or  away  from  it.  The 
region  ^2  is  the  “intrusive”  region  which  the  security  mechanism  can  be  thought  of  as 
trying  to  protect.  The  payoff  function  of  the  differential  game  is  given  as: 

J(x{T),  f2),  ifx<T 

/^(u,v)=  /  N,  if  T  =  T  and  x(T)  lies  on  the  same  side  of  CY^  as  A  (6) 

^  0,  if  X  =  T  and  x(x)  lies  on  the  same  side  of  CY*  as  B 

where  N  ,  ^2).  In  a  typical  equilibrium  strategy,  every  motion  of  u  towards  the 
regionI2  is  matched  by  v  by  a  similar  mirror  image  move  across  CY  as  indicated  by 
the  dotted  lines  in  Figure  4.  For  instance,  the  move  AA'  is  matched  by  BB\  A' A"  by 
B'B'\  The  objective  of  the  player  ii  is  to  miiiimi/e  the  payoff  P{u,v)  in  Eq.  5.  whe¬ 
reas  player  v  tries  to  maximize  it.  Hence,  in  the  original  game,  if  player  uchose  not  to 
come  near  the  territory  Q,  he  is  pcnali/ed  by  a  payoff  N.  If  v  did  not  guard  the  territo¬ 
ry  “very  well”,  he  is  penalized  by  a  payoff  of  0. 


Problems  of  Modeling  in  the  Analysis 
of  Covert  Channels 


Aloxaiiclor  Grusho^  Nikolai  Griislio^,  and  Elena  Tiiiioiiiiia*^ 


^  Moscow  State  University,  GSP-2,  Leninskie  Gory, 
Moscow,  119992,  Russian  Federation 
grushoQyandex . ru 

^  Russian  State  University  for  the  Hiniianiti('s,  25  Kirovogradskaya, 
Moscow,  113534,  Russian  F’ederation 


Abstract.  Sometimes  the  analysis  of  covert  channel  is  w'eakly  depen¬ 
dent  on  the  correctness  of  probabilistic  models,  but  more  often  the  result 
of  such  analysis  is  seriously  dt'peiideiit  on  the  choice  of  a  probabilistic 
model.  VVe  show  how  the  problem  of  deUxtion  of  covert  commniiica- 
tions  dejjends  on  the  correctne-ss  of  the  choice  of  probabilistic  model.  We 
found'  the  dependence  of  judgments  about  invisibility  of  covert  commu¬ 
nication  from  the  bans  in  a  prol)abilistic  model  of  the  legal  communica¬ 
tion. 

Keywords:  covert  cluuniel,  detection  of  information  flow,  covctI  com¬ 
munication. 


1  Introduction 

Applications  of  stati.stical  methods  in  the  analysis  of  covert  channels  or  covert 
coiinminication  arc'  widely  discussed  in  (he  literature  [1,2].  Then  everywhere 
we'll  use  the  term  covert  channel.  In  the  analysis  of  cxnrrt  channels  the  focus  is 
concentrated  on  statistical  detection  of  croimmiiiicatioiis  with  hidden  inforniation 
[3.4,5].  Another  important  task  is  to  assess  the  cajiacity  of  covert  rliainiels  [6.7]. 
All  wx)rks.  wliic'li  are  a.ssociated  with  these  tas’ks,  use  probabilistic  models  of  legal 
c'oinmiinic'atmns  and  probabilistic  models  of  infornuitioii  iiidiiig. 

In  this  paper  we  discn.ss  some  problems*  of  probabilistic  modeling  in  the  anal¬ 
ysis  of  covert  channels.  Sometimes  tlu'  analysis  of  covert  cliaimols  is  weakly 
dependent  on  the  c*orrc'ctiic\ss  of  probabilistic  iiiodc'ls.  We  show  that  the  |)rol)l('iii 
of  detc'ctioii  of  covert  channels  depends  strongly  on  the  corrc'ctness  of  the  choice 
of  prc^babilistic  model.  We  note  that  the  small  differences  in  that  probabilistic 
niodels  can  significantly  affect  tlic'  topological  structure  of  the  sots,  associated 
with  supports  of  probability  iiic'asurc's,  used  in  the  siimilatioii.  We  show  that  the 
topological  .structure  of  such  sets  depends  on  the  bans  (prohibitions)  of  certain 
configurations  whk'h  cannot  appear  in  legal  eoniriimiirations. 

'  This  work  was  supported  hy  the'  Russian  Foundation  for  Basic  Research,  grant  10- 

01-00480. 


I.  Kolonko  and  V.  Skormin  (Bds  ):  MMM-ACNS  2010,  LNC’S  G2.'j8,  pp.  118  121.  2010. 
©  Springs r-\erlag  Berlin  Heidelberg  2010 


Problems  of  Modeling  in  tlu'  Analysis  of  C’ovc'rt  Cliaiiiu'is  I  I‘) 

H('S('arcli  of  such  bans  lecoi vod  little  attention  in  the  analysis  of  eovc'rt  ehan- 
iK'ls.  The  appearaiiee  of  forbidchai  eonfigiirations  can  greatly  simplify  the  s('arcli 
of  covert  (  haimels. 

The  pap(‘r  has  the  following  structure.  In  section  2  we  consider  the  motiva¬ 
tion  ('xainpk's  to  ('xplain  the  probkMii  of  modeling  of  covert  ehaimols.  Section  3 
shows  how  to  build  a  topological  space,  whose  structure  reflects  the  propf'ities 
of  probabilistic  models  of  covert  channels.  We  find  .sonu'  t.opological  prop('rti(\s 
of  some  sc'ts  n'kitcnl  to  the  rest  rid  ions  in  the  structures  of  legal  coiniimnications. 
We  {iav('  built  an  exani])le  in  which  the  appearance  of  a  ban  severely  alters  the 
topological  structure  of  tfie  (onsidered  sets.  In  conclusion  \vc  summarize  th(' 
r(\sults  and  oiitliiu'  tlu'  path  for  further  research. 

2  Preliiiiiiiary  Discussion 

Let  T  -  a  chaniH'l  from  c()iui)nter  A  to  coinpiitc'i*  H.  All  transmittc'd  information 
in  T  must  not  contradict  business  processes  in  A  and  B.  which  T  supports.  A'  is 
ail  agent  of  an  adversary  in  A  and  B’  is  an  agent  of  an  adversary  in  B.  A'  may 
suspcMid  the  transmission  of  legal  information  and  inserts  its  own  message',  riu' 
schedule  of  hidde'ii  ui(*.ssag('  transfer  is  known  to  B\  It  is  a  k('v. 

We  consiek'r  the  Simmons's  model  [8]  for  hidden  signal  (message)  from  A' 
to  B\  having  the  channel  (network)  T  at  their  disi)osal.  Observer  V  interc'epts 
e\‘(M*vthing  that  is  transniitte'd  from  A  to  B  and  deciek'S  if  tlu're  is  a  covert 
coiimnniication  or  not.  When  A  chooses  me.ssages  independently  then  the  ease 
was  coiisid(T('d  in  [9].  Tlie're  w('  pro\'('d  (‘onditioiis  of  absolute  invisibility'  of  covert 
channel. 

b('t  A"  !)('  the  s('t  of  possibk'  messages.  Regardless  of  what  methods  of  aiiah  sis 
U  has.  his  decision  is  based  on  a  set  S  C  A"  of  message's  that  I  (*onsiders  ms  cove'i  t 
comnnmications.  If  .r  is  tlu'  mcs.sage,  which  U  has  observed,  then  V  makes  the 
(k'cisiou  oil  th('  ('xistence  of  hirlden  transmi.ssion  in  the  ca.se.  wIk'ii  .r  6  S.  That 
is.  V  fias  a  computable  for  him  function  7r(.r,5),  where  7r(.r,5)  -  an  indicator  of 
th('  s('t  S. 

if./'  (kx's  not  belong  to  the  set  5.  then  V  does  not  cousiek'r  the  traiisfc'r  of  .r 
as  illegal,  i.e..  ’’does  not  see”  the  threat  of  .r. 

Suppose  that  A*  and  B‘  know  S.  Tiu'n  tln'Iiidek'H  transfer  must  fie  const  me  t('d 
so  that  the  t raiismil t('(l  mes.sage'  .r  ^  S.  We  say  that  in  this  case  V  ’’does  not 
se(‘‘‘  a  cov('rt  channel.  This  approach  de.scribes  both  as  dc'terministic  so  and 
probabilistic  models  of  cov'ert  ('ha.niK'ls.  For  detc'rmiriistic  iiuxk'ls  it  is  obvious. 

Consi(l('r  a  probabilistic  niodc'l  of  a  co\ert  channel,  ft  i:>resui>iK)scs  tfic  ('xis- 
teiice  of  a  probability  iiK'a.snre  Po  on  X ,  which  coriesponds  to  a  legal  choice'  of 
UK'ssage  ./•.  That  is.  U  tests  tlx'  hyi)oth(\si.s  Ho  :  Po  by  the  observation  .r.  (’ri- 
terion  is  de'fined  b\  the'  critical  set  S.  reject iiig  the'  hyiiotlu'sis  IIq  with  a  given 
level  of  ('iTor  probability  (■  (i.e.  Pq{S)  <  e). 

A  with  the  ’’help*  of  A’  chooses  a  message  .r  in  accordance  with  his  probability 
niemsiire  Pi,  For  ('xarnpk'  A'  n.se's  paii.sc's  betwc'eu  the  .s('nt('iic('.s  to  introduce  its 
own  information.  In  this  ca.se'  B  receives  the  ines.sage  ./*.  and  B’.  knowing  the 


120 


A.  Grusho,  N.  Griisho,  and  E.  Tiinonina 


secret  key  A;,  uses  the  distribution  Pi(j'|A;)  to  get  information  like  in  [10].  For 
example  B'  counts  the  posteriori  probability  to  make  a  decision  about  covert 
information  transfer  out  of  secretly  determined  periods  of  time.  Here  Pi{S)  - 
the  probability  to  be  noticed  when  sending  covert  messages. 

There  are  two  approaches  in  constructing  models  of  action  of  the  participants 
A\  B’  and  U.  The  first  approach  is  typical  for  U.  He  builds  any  sort  of  model.  In 
this  model,  U  builds  critical  set  5,  and  decides  if  there  is  or  there  is  no  a  covert 
channel.  If  U  guessed  and  correctly  solved  the  problem  of  protection,  then  it 
does  not  matter  how^  correct  is  his  model.  He  succeeded  because  his  model  has 
suggested  him  the  way  to  success.  Such  an  approach  to  model  in  the  analysis  of 
covert  channels  we’ll  call  ’’lodestar”. 

The  second  approach  in  constructing  models  of  action  of  the  participants  is 
typical  for  A’.  When  building  a  covert  channel,  he  must  explain  the  invisibility 
of  the  transmission,  because  defeat  could  follow  severe  consequences  for  him. 
To  justify  the  invisibility  of  the  covert  communication  A’  and  B’  inn.st  have  an 
adequate  model  of  the  .set  S. 

Consider  the  problem  of  the  adequacy  of  the  model  of  a  covert  channel.  If 
U  knows  that  for  any  choice  of  the  key  distributions  Pq  and  Pi  coincide,  it  is 
obvious  that  he  has  no  criterion  for  identifying  the  covert  channel  [2].  We  explain 
this  in  the  following  example. 

Example  1.  Participants  A’  and  B’  suggest  that  the  model  of  legal  transfer 
through  the  channel  T  is  determined  by  the  distribution  Pq.  Transfer  in  the 
channel  T  is  a  realization  of  an  infinite  sequence  of  iid  random  varial)les  taking 

values  in  the  alphabet  \  =  {x\,...Xjn)  with  probabilities  p  =  {pi _ />m)i  Pi  > 

0.  i  =  1,....;//,  X]r=i  Pi  —  1.  A’  may  do  insert  into  legal  transmission.  In  this 
model  A'  can  easily  prove  that  the  following  transmission  scheme  is  absolutely 
invisible  for  U. 

Let  the  set  of  messages  of  participant  A’  consists  of  Li,...,L,v-  He  encodes 
them  as  follows.  A'  builds  N  random  sequences  Ai . ...,  A;v  iii  accordance  with  the 

measure  /o,  and  each  message  i  —  I, ...,  N,  is  associated  with  Ai,  t  =  I . N. 

In  addition,  he  builds  a  long  key  random  binary  sequence  G.  To  arrange  invi.sible 
channel  for  U,  this  .set  of  data  secretly  from  the  U  is  transmitted  to  B\  Let  A’ 
is  going  to  transmit  message  Lj.  On  the  place,  where  the  sequence  G  Inis  1,  A' 
additionally  inserts  the  next  character  of  the  sequence  Aj.  We  obtain  thus  a 
sequence  of  iid  random  variables  with  the  {pi^...ptji)  -distribution  of  charactcTS 
on  the  set  \.  Thus,  for  IJ  we  have  Pq  =  Pi  and  U  does  not  see  the  hidden 
transfer. 

Example  2.  Assume,  for  simplicity  that  in  the  previous  example,  rn  =  2,  \  = 
{0. 1}  and  the  legal  channel  is  generated  by  the  simple  homogeneous  Markov 
chain,  in  which  the  transition  probability  matrix  has  all  elements  positive  except 
P(I,1)  =  0. 

The  covert  communication  using  the  method  of  the  previous  example  can 
be  easily  detected.  It  may  be  done  even  in  the  ca.se  when  sequences  Aj.j  = 
are  chosen  in  accordance  with  the  same  Markov  chain  as  in  the  legal 


l’r()l)l('ius  of  Modeling  in  the  Analysis  of  Covert  (liannels 


121 


eoiiiniunicalioii.  In  fact,  in  the  so(inenc('  there  is  an  infinite' 

iiuniber  of  I,  and  the  i)robHl)ilitv.  that  before  places  of  incorporat ing  the  hidden 
eleiiK'iit.s  it  will  always  be  elenient  equals  to  0,  tends  to  0.  Hence,  with  probabilitx 
tending  to  1 ,  there  will  l>e  the  combination  (1.1)  which  is  otithi.wed  in  the  Markov 
chain.  When  such  a  combination  is  obtained.  U  identifies  the  covert  transmission. 

These*  examples  show  that  a  mistake  in  the  choice  of  niciisure  I\)  may  lead  to 
detection  of  covert  channel  e-onstnicted  by  A’. 

More  elifficulties  for  A'  in  the  construction  of  a  cov(*rt  channel  ocenr,  if  the* 
distributions  of  se'epu'nee's,  transmitted  through  the  channel  (network)  T,  may 
vary.  That  is,  instc'ad  of  Pq  the  distril)Ution  of  the  legal  transniitte'd  s(*e|nene(* 
behjiigs  to  the  family  {/\,  A  C  i1},  and  the  edioice*  of  a  critical  set  S  for  U  may 
depend  on  A.  It  iiu'ans  that  U  re’ceiws  from  A  additional  information  about  the 
di.st ribntion  in  the  channel  (network)  T.  In  tliis  case  A*  does  not  possess  such 
inforniat  ion. 

3  Asymptotical  Case 

Consider  the  problem  of  constructing  invisibh*  covi'rt  chaniK*!  in  an  a.syinj)tot.ic 
formulat  ion.  L('t  1, 2, ...,  be  the  sectuence  of  finit  e  sets,  tlu*  t  ime  is  discrete. 

At  ea(‘h  n  U  obst'rvf's  the  vector  Xji  ~  (jq , ...,  j-„),  j'l  G  A”,.  Wv  can  iissuuH'  that 
the  maximal  information  available  to  U  is  an  infinite  sequence  x  in  the  space*  of 
all  possible*  message's  A': 


'X 

X  G  n  -v, = A . 

In  accorelancc  with  the  previous  assumptions,  there  are  several  me)elels  of  legal 
connnunie  ations  elefined  by  the  pre^bability  nu'asnre's  /\.  A  G  A.  on  X  as  fmic- 
tie)ns  e)n  er-algebra  A.  which  is  generateel  by  cylinelrical  subsets  e)f  A",  Denote 
M-  A  G  A.  f)  G  iV,  be  the  projeetions  of  nie^asuie*.s  P\  eai  the  first  ii  ee)e)reli- 
nate's  e)f  the*  se*(pie'nee*s  e)f  A',  De*ue)te  j,  be  the  sui)pe)rt  e)f  the  iiH'asnre*  „ 
in  the  spaee 


„  X  II  A',, 

1  =  71-1-1 

111  the*  a.symi)te)t ie‘  feirnmlat iein  e)f  the*  probh'in  of  e’eive'i  t  communication  de’tce  tiejn 
Vi  luis  a  .se^iiience  of  criteria  t\,  n.  A  G  A.  ?!  G  A' .  that  are*  sjiecifie'd  by  a  se*(pK'nce 
of  (‘ritical  sets 

7i 

Sx.  „  C  Y[X,. 

U  choeises  n  and  use's  tei  make  his  ele'cisiem  about  the  pre.sence  of  a  cove*rt 

ehamu'l  in  [IJLj  A',  with  a  known  C\,  Namely,  if  the  .sequeiu'e*  .t„  belongs  to 
•-^A,  then  U  aimonnces  the  identification  of  a  covert  chamu'l.  We  be'lieve  that 
S\^  „  chosen  so  t  hat 

^ \{^X,  u)  -oc  d- 


122  A,  Gruslio,  N.  Gnisho,  and  E.  Timonina 


for  any  X  Q  A,  This  means  that  U  asymptotically  identifies  the  correct  k'gal 
transfer.  Obviously,  the  covert  channel  is  not  seen  for  U  for  any  A,  if  the  choice 
of  hidden  message's  does  not  belong  to  Uag^ 

If  it  is  not  known  how  U  selects  a  critical  set,  then  A’  iinist  comply  with 
certain  rules  for  the  selection  of  hidden  messages. 

1.  At  a  certain  A  €  A  for  every  ji  hidden  message  should  belong  to  D\r^, 
For  U  it  is  reasonable  to  include  in  5a,  n  fh^'  secjiiences  Xn  from  OT-^i 
which 

P\,  n(Xn)  =  0. 


This  rule  is  illustrated  in  Example  2. 
2.  If 


F  -  a:\ 


u  u  ( ^  n 

.  n  Aca  \  / 


becomes  ('iiipty,  that  will  make  iinpossibh'  for  A’  to  choose  a  hidden  message. 
If  F  consists  of  a  finite  number  of  sequem  e,  then  U  increases  a  total  number  of 
forbidden  messciges  by  adding  last  sc'veral  messages  from  F.  In  the  case,  when  F 
consists  of  a  countable  set  of  sequences,  then  U  can  decrease  F  to  a  sufficiently 
large  finite  set,  and  significantly  limit  the  ability  to  hide  iiiforination. 

Let’s  investigate  the  effeet  of  tlie.se  rules  on  the  choice  of  A’.  The  discrete 
topology  can  be  considered  on  Xt.  Then  X  becomes  a  topological  space  (Ty- 
chonoff  product  [1 1,12]).  This  space  is  compact,  because  A',  is  finite.  In  addition, 
the  topological  space  A"  has  a  countable  base,  because  class  of  cylindrical  sets 
is  countable.  In  our  case,  the  Borel  rr-algebra  13  coincides  with  Therefore,  all 
measures  F\,  A  €  A  ,  are  defined  on  B. 

It  is  obvious  that  for  any  A  E  A  the  sequence  Aa,  ^  A',  is  noihncreasing. 
since 


-^A,  n  — 1  X  Ari  ^  77.' 


Hence,  there  is  a  limit 

c» 

^A  =  Pi  ^A,  n- 
n=l 

All  ^A.  n  VU  G  N,  are  closed  and  open  sets  of  a  tojiological  space  X.  Thendore, 
for  all  A  E  A  sets  zAa  are  closed  in  the  Tychonoff  product.  Then  A  is  a  closed 
set: 

oc 

(1) 

XeA  AG/ln  =  l 

In  formula  (1)  w('  can  take  a  countable  set  of  iionincreasing  cylindrical  sets 
An.n  G  N.  such  that 

oo 

^ = n 

7J  =  1 


There  are  several  ca.se.s. 


Probk'ins  of  Modeling  in  (he  Analysis  of  Covert  C’hannels  12d 

Case  L  ^  =  0,  Because  by  the  compactness  of  .Y  there  (wists  for  which 

Af 

n  =  0. 

n  --- 1 

By  noil  increasing  of  seqiKMice  n  €  A\ 

—  0. 

Tliis  means  that  for  some  n  A'  has  no  choice  for  invisible  covc'i  t  cominnnication. 
Any  choice  of  A’  can  be  seen  by  U  in  tlu’se  circiinistaiic(\s.  l.e.  for  A'  there  is  no 
giiaraiitcH'  of  invisibility  of  the  hicldc'ii  transfer. 

Case  II.  The  set  A  includes  some  open  sc't  of  X .  Since'  any  open  .set  in  A'  is  a 
coniitable  union  of  some  of  cylindrical  sc'ts,  then  all  sets  Ax,  A  €  A,  include'  at 
le'cist  e)ne  cylinelrie-al  set  which  is  common  for  all  sets  Ax-  Any  e*vlindrical  .set  is 
niie  e)iintable.  Conse'epiently,  in  Ax  theue*  exists  an  uncountable'  set  of  points,  e'ae-h 
of  them  has  measure'  0.  Therefore.  A*  can  choose  of  the'in  a  satisfactory  secinence' 
(a  finite'  set  of  sequeuie^e's)  for  covert  connminie*atioii.  c'lisiiring  the  none'xistc'iice 
e)f  a  e:e)risistent  seqneuiex'  of  criteria  for  elete'e  tie)n  this  coinmnnication  by  U.  And 
there  is  a  consiste'iit  procedure  for  B'  to  understand  the  infe)rinatie)n  tliat  A'  se'iit 
to  him. 

Case  III.  If  the  coiiditie)ns  1  e)r  H  are  not  fiilfillc'el,  the'ii  tiic'  te)pe)le)gical  sti  ne  tnre' 
e^f  a  cle)sed  sc't  A  is  more'  coiiii)lex  and  re'qiiire's  fnrtlu'r  stiiely. 

Example  3.  C'oiisielc'r  the  family  of  distributions  (/h,  1 2)^  e'orre'sponding  te)  the 
e'xamples  1  and  2.  That  is,  /T  e'e)rre'spe)nel.s  te)  a  seque'iice  of  iiel  ranele)ni  variable's 
taking  values  0  anel  1  with  probabilitie's  1  —  p  anel  p.  ()</)<  1.  P2  cejrrc'spoiiels 
te)  a  statie)nary  homogeneous  Markov  e  hain  e)ii  the  state's  0  anel  1  with  a  matrix 
/^  where  pu  =  (h^Pvz  =  1  -  (n^P2\  =  (I2  P22  =  1  *-  ^/2- 

If  0  <  e/i  <  1  and  0  <  c/2  <  1,  then  for  any  n,  the  e'qnality  Do,  n  =  Dq,  „  is 
fiilfilk'd.  Therefore  ==  ^0  —  *^2  =  A'.  In  this  case  A  contains  an  open  sc't.  As 
was  shown  [13]  A'  can  che)ose  any  se'cpience  as  a  hieldcn  signal.  In  this  case  fe)r 
U  thc're  is  no  consiste'iit  sc'cpic'iice'  of  euiteria  for  identifying  a  ee)vert  channe'l. 

Ce)n.side'r  the  case  when  0  <  qi  <  1.  as  c/2  =  I.  In  this  case,  for  any  n 
Do.,,  D  Di.n^  So  A  —  A2  and  A  is  an  imconntabk'  ck)se'el  set  without  iiiterie)r 
pe)ints.  Thus  wo  have  ce)nelitions  e)f  the  c^ise  III. 

4  Conclusion 

We  fonnel  the  de'pe'ndeiice  of  judgments  al)ont  invisibility  e)f  covert  e  hannels  anel 
the'  che)ice'  of  a  probabilistic  iimdel  of  the  legal  communication.  When  we  trv  te) 
simplify  the  pre)babilistic  rnoelels  of  h'gal  coninuinicatie)ns  we  may  loose  the  bans, 
wliich  are'  pre)hibit('d  in  k'gal  communications.  Bans  may  generate  significant 
change's  in  the  tope^logical  struct  lire  e)f  certain  subsets  of  supports  of  probability 
measure's.  These  stniediiral  (‘haiige's  e'aii  be  detectc'd  hy  a  ce)inpntcu*  siniiilatmn 
that  may  give  a  chance  to  simplify  the  search  of  bans  in  real  systems. 


124 


A.  Griislio,  N.  Grusho,  and  E.  Tinioniiia 


References 

1.  Johnson,  N.F.,  Diiric,  Z.,  Jajodia,  S.:  Inforniation  Hiding:  Steganograpliy 
and  Watermarking- Attacks  and  Coiintermcasiiros.  Kliiwer  Academic  Pnblisiiers, 
Boston  (2000) 

2.  Wang.  Y..  Monliii,  P.;  Perfectly  secure  steganograpliy:  Capacity,  error  exponents, 
an<l  code  constructions.  IEEE  Transactions  on  Inforniation  Theory,  Special  Issue 
on  Security  r)4(())  (2008) 

3.  Grusho,  A.,  Kniazev,  A.,  Timonina,  E.:  Detection  of  Illegal  Information  F’low. 
In:  Gorodetsky.  V..  Kotenko,  I.,  Skormin,  V^A.  (eds.)  MMM-ACNS  2005.  LNCS, 
vol.  3G85.  pp.  235  244.  Springer,  Heidelberg  (2005) 

4.  Filler,  T.,  Fridrich,  J.:  Complete  characterization  of  perfectly  .secure  st ego- systems 
with  miitnally  indopoiidoiit  embtHlding  operation.  In:  Proceedings  IEEE  Interna¬ 
tional  Conference  on  Acoustics,  Speech,  and  Signal  Processing,  pp.  19  24  (2009) 

5.  Cachin.  C.:  An  in  format  ion- theoretic  model  for  steganography.  Information  and 
Computation  192(1),  41  56  (2004) 

6.  Moulin,  P.,  Wang,  Y.:  New  results  on  steganographic  capacity.  In:  Proceedings  of 
the  (Conference  on  Information  Sciences  and  Systems,  CISS,  March  17-19  (2004) 

7.  F  iller,  T..  Fridrich,  J.,  Kor,  A.D.:  The  square  root  law  of  steganographic  capacity 
for  Markov  covers.  In:  Delp,  E..J.,  Wong,  P.W.,  Meinon,  N.,  Dittmann,  J.  (eds.) 
Proceedings  SPIE,  Electronic  Imaging,  Security  and  Forensics  of  Multimedia,  San 
Jose.  CA,  vol.  XI,  pj).  18  21  (January  2009) 

8.  Simmons,  G.J.:  The  prisoners  problem  and  the  subliminal  channel.  In:  Chaum,  D. 
(ed.)  Advances  in  Cryptology:  Proceedings  of  Crypto  1983,  pp.  51  07  (1984) 

9.  Grusho.  A.:  On  existence  of  subliminal  channels.  Discrete  Mathematics  and  Ap¬ 
plications  9(2),  1  8  (1999) 

10.  Shannon,  K.:  The  works  on  information  theory  and  cybernetics.  Foreign  Literature 
Moscow  (1903)  (ill  Russian) 

11.  Boiirbaki,  N.:  Topologie  Geiierale.  Science.  Moscow  (1968)  (in  Rus.sian) 

12.  Prokhorov.  U.V.,  Rozanov,  U.A.:  Thwry  of  probabilities.  Science,  Moscow  (1993) 
(in  Russian) 

13.  Gru.sho.  A.,  Grebiiev,  N.,  Timonina.  E.:  Covert  channel  invisibility  theorem.  In: 
Gorodetsky,  V.,  Kotenko,  I.,  Skormin,  V.A.  (eds.)  Proceedings  of  F'oiirth  Inter¬ 
national  Conference  on  Mathematical  Methods,  Models,  and  Architectures  for 
Computer  Network  Security,  MMM-ACNS  2007-  pp.  187  19G.  Springer,  Heidel¬ 
berg  (2007) 


Policy-Based  Design  and  Verification 
for  Mission  Assurance* 


Shhi-Kai  Chin’,  Sarah  Mucci(y‘’,  Stisaii  Older’,  and  Tli()nia,s  N..1.  VestaP 

’  ICEC'S  Doj)arluiout.  Syracuse  Uiiivc’rsity,  Syracuse,  New  York  lik244,  USA 
^  Air  I'brce  Research  Lfiboratory,  Rome.  New  York  13411,  l^SA 


Abstract.  Intelligent  systeni.s  ofttMi  operate  in  a  blend  (^f  cyberspaci 
and  physical  space.  Cybers])ace  operations  ])lanning,  actir)ns,  and  ef¬ 
fects  in  realin.s  where  signals  alTect  intelligent  systems  often  occur  in 
milliseconds  without  human  intervention,  D(’cisious  and  actions  in  cy¬ 
berspace  can  affect  physical  sj^ace,  particularly  in  SC  AD  A  s\ij>ervis()rv 
control  and  data  acquisition  systems.  For  critical  military  missions,  in- 
t(41ig('nt  and  autonomous  systems  must  adhere  to  commander  intent  and 
operate*  iii  ways  that  assure  the  integrity  of  mis-sion  operations.  This  pa- 
p('r  shows  how  i)oli(  y.  expre.s.sed  using  an  access-cont  rol  logic.  scTves  jis  a 
bridge  l)etw(*en  commanders  and  impleinenters.  Wr  describe  an  acce.s.s- 
control  logic  bascnl  on  a  multi-agent  proi)ositional  modal  logic,  show  how 
policic'S  are  described,  how  access  (U'cisious  are  justified,  and  give  exam- 
pl(?s  of  how  concepts  of  oiMTat  ions  are  analyzed.  Oiir  experience  is  policy- 
Inused  design  and  verification  is  within  the  reach  of  practicing  engine<M*s. 
A  logical  approach  enables  engineers  to  think  precisely  about  tin*  .secu¬ 
rity  and  integrity  of  their  systems  and  the  mi.ssions  they  support. 

Keywords:  policy,  concept  of  operations,  accc\ss  control,  logic. 


1  Introduction 

Cyber  siiaee  and  jibysieal  spaev  are  ever  more  intertwined.  Cyber-physical  sys¬ 
tems,  i.e.,  .systems  with  tight  coordination  lietweeii  coini)ntational  and  jiliysical 
resources,  operate  in  these  intertwined  worlds.  Automatic  jiilots  in  aircraft  and 
smart  weajKins  are  examjilcs  of  cyber-physical  systems  where  the  capability  to 
complete  Boyd's  o6.scn;c-f>n>Td-dcc/’c/c-ac/  decision  loop  [l]  in  milliseconds  with¬ 
out  hmnau  intervention  is  essential. 

For  conimanders,  fulfilling  the  iiiis,sions  entrusted  to  them  is  of  i)aranionut 
importance.  As  antonoinons  cyber  and  cvber-])hysical  systems  have  by  their  very 
nature  little,  if  any,  human  snix'rvision  in  their  decision  loojis.  mission  assurance 
and  mission  integrity  concerns  re(|iiire  that  the  trustworthiness  of  tlu'se  systems 
be  rigorously  established. 

A  practical  concern  is  how  commanders  and  implomenters  will  communicate 
with  each  other.  Coinniaiulers  operate  at  the  U'vtd  of  policy:  what  is  permitted 
and  under  what  cireimistances.  Inii^lcnientcrs  are  concerned  with  mecliaiiisms. 
Our  observat  ion  is  that  eonimaiulers  and  impleinenters  (‘ommnnieate  through  de¬ 
scriptions  of  policy  and  conee})ts  of  operation.  Our  key  contribution  is  a  method¬ 
ology  for  describing  policies  and  trust  assumptions  within  tin’  (‘ontext  of  concepts 
of  operations. 

Distribution  Statement  A  Approved  for  Public  Release'  Distribution  Unlimited 

Docmiient  #88ABW-20 10-08 If),  dated  24  Febnuirv  2010. 

1.  Kotenko  .in<l  V'.  Skorniln  (Eds.):  MMM-ACNS  2010.  LNCS  C2,58,  pp,  125  1.3S.  2010. 

©  Spi  ingei -Verlag  B<‘rlin  Heidelberg  2010 


126  S.-K,  Chin  et  al. 


The  remainder  of  this  paper  is  organized  as  follows.  First,  we  iuforiiially  de¬ 
scribe  tlie  ctaitral  elements  of  policy  and  concepts  of  operation  that  we  wish  to 
describe  and  justify  rigorously.  Second,  we  describe  tlie  syntax  and  stmuintics  of 
our  accc'ss-coiitrol  logic.  Third,  we  describe  a  hypothetical  concept  of  operations, 
formalize  its  description,  and  provide  a  formal  justification  for  its  operations. 
Finally,  we  offer  summary  remarks  and  coiK-lusions. 


2  Elements  of  Policy  and  Concepts  of  Operation 

Policies  are  principles,  guides,  contracts,  agreements,  or  statements  about  deci¬ 
sions,  actions,  authority,  delegation,  credentials,  or  representation.  Concepts  of 
operation  (CONOPS)  describe  a  system  from  the  user's  perspective.  CONOPS 
describe  the  goals,  objectives,  policies,  responsibilities,  jurisdictions  of  v^arious 
authorities,  and  operational  processes. 

The  elements  of  policy  we  are  concerned  with  iiicliide: 

—  who  or  what  has  control  over  an  action  and  under  what  circumstances, 

“  what  are  recognized  tokens  of  authority, 

—  who  are  recognized  dc^legates, 

—  what  credentials  are  n^cognized, 

—  what  authorities  are  recognized  and  on  what  ar('  they  trusted,  and 

—  any  trust  assumptions  used  in  making  decisions  or  jiidgiiKaits. 

We  conceptualize  CONOPS  as  a  chain  of  statements  or  requests  for  action.  I'hese 
requests  are  granted  or  rejectcnl  based  on  the  elements  of  ])olicy  listed  above. 
This  is  illustrated  in  Figure  1.  What  Figure  I  shows  is  an  abstract  depiction  of  a 
CONOPS  that  has  three  or  more  principals  or  agents:  PL  P2,  and  PS.  Principals 
are  entities  such  as  subjc’Cts,  objects,  keys,  tokens,  proc(*sses,  (*tc.  Principals  are 
anything  or  anybody  that  makes  requests,  is  acted  upon,  or  is  used  as  a  token 
representing  a  principal. 

CONOPS  begin  with  a  statement  or  request  si  by  PL  In  the  syntax  of  the 
access-control  logic  we  introduce  next,  this  is  the  formula  PI  says  si.  Principal 
P2,  is  envisioiK'd  to  receive  the  statement  PI  says  si,  and  within  the  context  of 
jurisdiction  statements,  policy  statennents,  and  trust  assuiiiptioiis,  P2  conchuk's 
.s2  is  justified.  As  a  result  of  this  justification,  principal  P2  transmits  a  statement 
P2  says  s2  to  principal  PS^  who  then  reacts  within  the  context  of  its  jurisdiction 
and  policy  statenients,  and  trust  assumptions.  We  repeat  tliis  for  all  principals 
and  proces.ses  in  the  CONOPS. 

Within  the  boxes  labeled  Principal  2  and  Principal  3  are  ('xpre^ssions 


|P1  says^^ 


Pnngpal  2 

Pnncipal  3 

PI  sayssi 

P2  says  s2 

Jurisdiction  statements 

- \ 

Jurisdiction  statements 

Policy  statements 

Trust  assumptions 

P2  says  s2  y 

Policy  statements 

Trust  assumptions 

$2 

S3 

P3  says  s3 


Fig.  1.  Conccj)t  of  Operatioii.s 


Policy-Biuscd  Design  and  Verification  for  Mission  Assurance 


127 


PI  says  .si 

Jurisdiction  staternents 
Policy  statements 
T)  us  t  assurnj)  Ho  ns 

- Til - 


and 


P2  says  s2 

J u ris diction  statements 

Policy  statements 

Tilts f  assump t ions 
- - 


Wliat  tli(*  al)ove  expressions  intend  to  convey  is  that  Ixised  on:  (1)  the  stateiiK'nts 
or  reejuests  .si  and  .s2  ina<le  by  ])rincij)als  Pi  and  P2,  and  (2)  tlu*  statements 
of  jnrisdietioiK  policy,  and  trust  assumptions  under  wliich  ])rincij)als  P2  and 
P.’l  oi)(‘rat<*,  P2  and  Pd  an'  logically  justified  (using  tlu'  logic  and  calculus  we 
dest:ril)e  next)  to  coiu^lnde  .s’2  and  .s\d.  As  we  will  see  after  fornially  describing 
tlu'  syntax  and  semantics  of  our  logic  ,  the  two  expressions  above  have  the  form 
of  derived  infc'rc'iicc'  rules  or  tficorcrns  in  onr  calculus.  Kac'li  step  of  a  CONOPS 
exjMc'ssed  in  this  fashion  is  a  theorc'in  justifying  the  Ix'havior  of  a  .system. 

One  of  the  principal  values  of  using  t  he  acc'es.s-control  logic  is  the  ('valuation 
of  a  CONOPS  for  logical  consistency  within  the  contc'xt  of  given  policies,  c'er- 
tific'at ions,  and  trust  assumptions,  dlu'  procc'ss  we  outline  hc'rc*  make's  explicit 
uiidc'rlying  assmni)tious  and  potential  \ nhu'rabilities.  This  leads  to  a  deepc'r  nn- 
dc'rstanding  of  the  underpinnings  of  sec  urity  and  integrity  for  a  system.  This 
grc'atc'i*  understanding  and  precision,  when  coniparc'd  to  informal  dc'se-riptions. 
prochic'c's  more'  informc'd  dc'sign  dc'casions  and  tradc'-offs. 

In  the  following  section,  we  dc'fiiic'  the  syntax  and  sc'inaiitics  of  tlic'  ac'C'C'ss- 
coiitrol  logic  and  calculus. 


3  An  Access-Control  Logic  and  Calciihis 

3.1  Syntax 

Principal  Erpi’(\ssions.  L(*t  P  and  Q  range  ov('r  a  collection  of  princ*ipa!  c'Xprc'S- 
sions.  L(‘t  A  range  ov<*r  a  countable  s(*t  cjf  simi)le  princij^al  name's.  Th(‘  abstract 
syntax  of  juincipal  c'X]^rc*ssions  is: 

P  ::=  A  /  PVg  /  P  I  Q 

The  princii)al  f^k:Q  (‘‘P  in  (‘onjunct ion  with  Q’’)  is  an  abstrac  t  principal  making 
c'xactly  tho.se  statc'iiu'nts  made  by  both  P  and  Q:  P  |  Q  (“/’  cpioting  Q'")  is  an 
ab.stract  j)rincipal  corrc'sponding  to  principal  P  ciuoting  principal  Q. 

Ac'cy’s.s  Control  Statements.  The  abstract  syntax  of  statc'inc'iits  (ranged  ovc'r  by 
<f)  is  dc'fined  as  follows,  where  P  and  Q  range'  over  princ‘ii)al  exprc'ssioiis  and  p 
range's  cner  a  count abh'  sc't  of  propositional  variables: 

T  P  /  ~^^  /  ^  Pi  /  Vi  V  ^2  /  P\T>  <P2  /  Vi  ^  pi  / 

P  =>  Q  /  P  says  ^  /  P  controls  ^  /  P  reps  Q  on  ^ 

Informally  a  forinnla  P  ^  Q  (proiioiinc'c'd  '‘P  .spc'aks  for  (/')  indicat (‘s  that 
('very  statenu'iit  made  by  P  can  also  bc'  viewed  as  a  stntc'iiK'iit  from  Q.  A  forinnla 
P  controls  is  syntac  tic  sugar  for  the  implication  {P  says  D  in  effc'ct.  P  is 
a  trusted  authority  with  respect  to  the'  .statc'ineiit  <p.  P  reps  Q  on  p  denotc's  that 
P  is  Q  s  delegate  on  p:  it  is  syntactic  sugar  for  (P  says  {Q  says  >^))  D  Q  says  p. 
Notice  that  the  dc'finition  of  P  reps  Q  on  is  a  special  case  of  controls  and  in 
c'ffc'ct  a.s.s('rts  that  P  is  a  trusted  authority  with  respect  to  Q  saying  p. 


128 


S.-K.  Chin  et  al. 


=  l{p) 

I«pi  A  1^2]  —  ^Ai I'pi D  n  [<^2] 

^AllI'Pl  V  ip2l  =  U^'ai|[<P21 

^Ai  |[<Pi  3  <P2l  =  (VV'  -  SjsA  I<Pil)  U  €m  Iv^^I 
f  Al  Iv^l  =  <P21  =  3  <^2!  n  f,v(  l<p2  D  <pl  1 


£MlP->Qi  = 


if  J(Q)  C  J(/’) 
otherwise 


^"aiII^  says  =  {w\J{r){xu)  C  fA^Iv?]!} 
controls  =  £^^\{P  says  v?)  D  if] 

Sj^  [[/’  reps  Q  on  =  €j^  [[/^  I  Q  says  f  D  Q  says  i^l 


Fig.  2.  Soniaiitic.s 


3.2  Semantics 

Kripkc  struct iircs  define  the  semantics  of  formulas. 

Definition  1.  A  Kripke  structure  A4  is  a  fhrrc-iuplr  (\V\I.J),  where: 

—  \V  is  a  nonempty  set,  whose  elements  are  railed  worlds. 

—  /  :  PropVar  V[\V)  is  an  interpretation  funeiion  that  maps  each  propo¬ 
sitional  vajiable  p  to  a  .^et  of  worlds. 

—  J  :  PName  — ►  'P{W  x  IT)  is  a  function  that  maps  each  principal  name  A 
to  a  relation  on  worlds  (i.e.,  a  subset  of  W  x  IT/ 

We  extend  J  to  work  over  arbitrary  principal  expressions  using  set  union  and 
relational  composition  as  follows: 

J{PkQ)  =  .J{P)  U  J{Q) 

J{P\Q)  =  .JiP)oJ{Q). 


where 

J{P)  oJ{Q)  =  {(?/’!,  ?C2)  I  3w’'.(?Ci.  n^')  G  J{P)  and  {ir\7V2)  G  J{Q)} 


Definition  2.  Ea(  h  Kiipke  .stntctnre  M  =  (U',  /, ./)  yives  rise  to  a  function 

*  Forrn  ViW). 

where  is  the  set  of  worlds  in  which  (f  is  considered  true.  defined 

inductively  on  the  sh'ucture  of  9,  as  shown  in  Figure  2. 

Note  that,  in  the  definition  of  says  ip],  J{P){w)  is  simply  the  image  of 

world  w  under  the  relation  J{P). 


3.3  Inference  Rules 

In  practice,  relying  on  the  Kripke  semantics  alone  to  rccison  about  policies, 
CONOPS,  and  behavior  is  inconvenient.  Instead,  inference  rules  are  used  to 
inaiiipulate  forniuh^s  in  the  logic.  All  logical  rules  must  be  sound  to  maintain 
consistency. 


F\)licy-Base(i  De^^igii  and  Vinification  for  Mission  Assurance 


129 


rp  .  _  if  V?  is  ail  instance  of  a  prop- 

^  logic  tautology 


Moiliia  Ponrnfi 
Ml*  Says 


y'  D  y 


•''Viy.s  — — - 

P  says  ^ 


[P  says  D  y?'))  says  ^  j  P  says  ^') 

Spraks  For 


P  =>  Q  D  {P  says  ^  D  Q  says 


f^Says 


P  I  (2  says  v?  =  /*  says  Q  says 


P&^Q  says  =  /’  says  <p  ^  Q  says  yr 

/>'  =>  />  Q'  ^  Q 


l(lf‘iiLp()teury  of  -  Mvnvionicity  of  I 

^  p  ^  /'  '  /»'  I  g'  1  g 


Associativity  of  | 


/*  I  (g  I  ^0  says  y- 
(P  I  g)  I  /?  says  y- 


P  controls  y?  '  '  {P  says  y^)  Z)  -f 
P  reps  g  on  ^  ^  g  says  ^  Z)  Q  says  . 

Fig.  ft.  Core  Infinent  e  Hnl(\s 


/»  .  /f,  /»|gsaysy? 

Quoting  (IJ  — - - - 

/  says  g  says  y? 


Quoting  (2) 


P  says  g  says  ^ 


C’onlrols 


P  controls  ^  P  says  ^ 


Denvf  d  Spt-nks  Fo 


P  1  g  says  ^ 

P  ^  Q  P  says  s 


g  says  y 


Reps 


Q  controls  y?  P  reps  g  on  y?  /'  1  g  says  y? 


Rep  Says 


P  reps  g  on  ^  ^  I  g  says  y? 


g  says  v? 

Fig.  4.  [)('rived  Ftules  Used  in  this  Papt'r 


Defiintioii  3.  A  I'ulc  of  font i 


//l  -  IIu 
C 


is  sound  if,  for  nil  Krij)ko  struct  uirs 


M  —  (Ui  /.  J),  if  cndi  i  G  {I . //},  then 


Tli(‘  riih’s  in  Figiir(\s  3  and  4  art'  all  sound.  As  an  additional  check,  tlu'  logic 
and  ruU's  have  1)('(mi  iin])leineiitccl  in  tlu'  nOL-4  (lliglicr  OrdtT  Logic)  theorem 
pi  over  as  a  conservativt'  extc'iision  of  the  llOL  logic  [2]. 


3,4  Coiiftflontiality  and  Integrity  Policies 

Confident ialitv  and  integrity  policies  such  as  BelLLaPadiila  [3]  and  Bil)a's  Strict 
Integrity  policy  [4],  depend  on  cla.ssifying,  i.e,.  assigning  a  confidentiality  or 
integrity  level  to  iiiforiiiatiom  subjects,  and  obji'cts.  It  is  straightforward  to 
extend  tlu'  acces,s-c()ntrol  logic  to  iiielude  confidentiality.  int(‘grity,  or  availability 


VM) 


S.-K.  Chin  ot  al. 


lovols  as  needed.  In  what  follows,  we  show  how  the  syntax  and  semantics  of 
integrity  levels  are  added  to  the  core  aeeess-eontrol  logic.  Tlu’  same  process  is 
used  for  levels  used  for  confidentiality  and  availability. 

Syntax.  The  first  step  is  to  introduce  syntax  for  describing  and  comparing  secu¬ 
rity  levels.  IiitLabel  is  the  collection  of  simple  integrity  labels,  which  are  used 
as  names  for  the  integrity  levels  (e.g.,  HI  and  LO). 

Often,  we  refer  abstractly  to  a  principal  P's  integrity  level.  We  define  the 
larger  set  IntLevel  of  all  possible  integrity-level  exi)ressions: 

IntLevel  IntLabel  /  ilev(PNaine). 

A  integrity-level  expression  is  either  a  simple  integrity  label  or  an  expression  of 
the  form  ilev(.4),  where  A  is  a  simple  princii)al  name.  Infornially.  ilev(A)  refers 
to  the  integrity  level  of  principal  A. 

Finally,  we  extend  our  definition  of  well-fornied  formulas  to  support  eonipar- 
isons  of  integrity  levels: 

Form  ::=  IntLevel  <i  IntLevel  /  IntLevel  =i  IntLevel 

Informally,  a  fonnula  such  as  LO  <j  \\e\/{Kate)  states  that  Kate's  integrity  level 
is  greater  than  or  equal  to  the  integrity  level  LO.  Similarly,  a  formula  such  as 
ilev( Parry)  =,  ilev(,7ec)  states  that  Barry  and  Joe  have  been  assigned  the  same 
integrity  level. 


Semantics.  Providing  formal  and  precise'  meanings  for  the  newly  added  syntax 
requires  ns  to  first  extend  our  Kripke  strnetiires  with  additional  components 
that  describe  integrity  classification  levels.  Specifically,  we  introduce  extende'd 
Kripke  structures  of  the  form 

M  =  (IP,/,  J./v,L,^>, 

where: 

—  IP,  /,  and  J  are'  as  defined  earlier. 

/C  is  a  non-empty  set,  which  serves  as  the  universe  of  integiity  levels. 

—  L  :  (IntLabel  UPName)  ^  K  is  a  function  that  maps  each  intc'grity  label 
and  each  simple  princii)al  name  to  a  intc'grity  level.  L  is  extended  to  work 
over  arbitrary  integrity-level  expressions,  as  follows: 

L{  ilev(A))  =  L{A). 

for  every  simple  j)riiicipal  name  A. 

—  :<C  K  X  K  is  a  partial  order  on  K\  that  is,  -<  is  reflexive  (for  all  k  G  A", 

k  ■<  k),  transitive  (for  all  k\.k2.k:i  G  A',  if  A:i  ;<  k2  and  k2  A:3,  then 
7*1  7:3),  and  anti-symmetnr  (for  all  7*1, 7:2  G  A',  if  7:i  -<  7:2  and  7:2  -<  k\^ 

then  k\  =  7*2). 

Using  these  extended  Kripke  structures,  we  extend  the  semantics  for  our  new 
well-formed  expressions  as  follows: 


£m  [T'  1 


\iL{U)<W2) 

otherwise 


=1  f2}  =  e2]n£Ml(2  <,  7ll. 

As  these  definitions  suggest,  the  expression  £1  ==i  ^2  simply  syntactic  sugar  for 
(^1  <*^2)A(^2<.^i). 


Policy- Bius('( I  Do^igii  and  Verification  for  Mission  Assuraiuc’ 


i;u 


f2  -  (fl  <.  (2)^{h  <.  ^l) 
Rcflcxiviiy  of  < 


Transitivity  of  <, 


(  <,  f 
fl  <,  ^2  (l  <,  ^3 


si  <. 


<. 

ilev(r)  =,  fl  ilevig)  f,  fl  <,  ('2 


ilev(/’)  <,  ilev(Q) 

Fig,  5.  InfcKMicc'  rules  for  relating  int  egrity  levels 


Logical  Rules.  Based  on  the  extended  Kripke  semantics  we  iiitrodiue  logical 
rules  that  sti[>port  the  use  of  integrity  levels  to  reason  about  access  reqiu’sts. 
Six^ifically,  the  definition,  itdh’xivity.  and  transitivity  rides  in  Figure'  5  refk'ct 
that  is  a  partial  order.  Tlu'  fourth  rule  is  derived  and  convenient  to  have'. 


4  Expressing  Policy  Elements  in  the  Logic 

With  the  ele'finitie)!!  of  the  syntax  aiiel  semantics  of  acccss-ee)iit re)l  le)gie*,  we  j)re>- 
viele  an  introelnctiem  to  e'xpre'ssing  key  e'hune'iits  e)r  pe:)licy. 

Statnnmts  and  requests.  State’iiients  and  rccpiests  are  iiiaele  by  priiicij)als.  Ih*- 
epie'sts  are  le)gieal  statements.  Fe)r  example,  if  Alice'  wants  to  reael  file  foo,  we' 
represent  Alice's  request  as  Alice  says  {reaxLfoo).  We  interpret  {read.foo)  tis 
*Mt  we)nlel  be  advisable  to  re'ael  tile'  /no." 

Credentials  or  eertificates  are'  statements,  usually  signe'd  with  a  crypt e)graphic 
ke'y.  Fe)r  example,  assume  we  be'lieve  publie:  key  AV  a  tAe'  key  usexl  by  certificate' 
authe)rity  CA.  With  this  be'lie'f.  we'  wonlel  interjue't  a  stateme'iit  nuule  l)y  AV  \  te) 
e*e)ine  fre)m  CA.  In  particular,  if  1\CA  says  [K \nc€  ^  Aliee),  we  would  inte'ipret 
this  public  key  certificate  signeel  by  Kc  a  having  ceune  from  CA. 

Jumsdietion.  Jnrisflictie>n  statements  identify  who  or  what  has  autlie)rity,  sj)e'- 
e  ific  privileges,  penvers,  or  rights.  In  the  logic,  jiirisdictiem  stateme'iits  n.siially 
are  controls  stateme'iits.  For  e'xample.  if  Alice  has  the  right,  to  reael  file' /on,  we* 
.say  Alice  controls  (read^foo).  If  Alice  has  reael  juriseliction  on  foo  and  Alice  re¬ 
quests  to  re'ael  foo,  then  the  Controls  inference  rule  in  Figure  4  allows  us  to  infer 
{read,  foo)  is  a  semiul  deeisieni,  i.e'., 


Alice  controls  {read,  f  oo)  Alice  says  {read,  f  oo) 

{read,  f  oo). 


Controls  statements  are  alse)  stat.eineiits  e)f  trust.  Suppe>se  CA  is  recognized  as  the' 
trnste'el  autheirity  em  piiblic-ke'y  c  ertificates.  If  CA  says  (Kaucc  Alice)  tlien  we' 
believe  that  K Alice  i«  Alice  s  public  key.  An  important  consideration  is  that  trust 
is  not  all  e>r  not  liiiig  in  onr  logic.  A  principal  may  be  trusted  on  some  things  but 
not  others.  For  e'xample,  wc'  may  trust  CA  on  matters  relatc'd  to  Alice  s  ke'v,  but 
W('  may  not  trust  CA  on  saying  wlictlic'r  Alice  has  write  pcrinission  on  file  foo. 
Essentially,  the  sex^pe  ejf  trust  of  a  princ  ipal  is  liinited  to  the  spexdfic  statements 
over  wine'll  a  principal  has  control. 


132  S.-K.  Chin  ct  al. 


Proxies  and  delegates.  Often,  principals  who  are  the  sources  of  requests  or  state¬ 
ments,  do  not  in  fac  t  make  the  statements  or  requests  themselves  to  the  guards 
I)rotectiiig  a  resource.  Instead,  something  or  somebody  makes  the  recpiest  on 
their  behalf.  For  example,  it  is  quite  common  for  cryptographic  keys  to  be  used 
as  proxies,  or  stand-ins,  for  j^rincipals.  In  the  case'  of  certificate  authority  CA,  we 
would  say  Kca  CA.  If  we  get  a  certificate'  signe'd  using  Kca^  thou  we  would 
attribute  the  information  in  that  certificate  to  CA.  For  example,  using  the  De¬ 
rived  Speaks  For  rule  in  Figure  4  we  can  conclude  that  certificate  autlK)rity  CA 
vouches  for  Kaucc  being  Alice’s  public  key: 

=>  CA  Kca  says  =>  Alice) 

CA  says  {K^xuc*:  =>  Alice). 

Ill  situations  where  delegates  are  relaying  orders  or  statements  from  their  su¬ 
periors,  we  typically  use  reps  formulas.  For  example,  say  Alice'  is  Bob's  delegate 
on  withdrawing  funds  from  account]  and  depositing  funds  into  account2-  If  we 
recognize  Alice  as  Bob's  delegate,  we  would  write: 

Alice  reps  Bob  on  {{withdraw  S 10^,  account i )  A  {deposit  account^)). 

From  the  semantics  of  reps,  if  we  recognize  Alice  as  Bob's  delegate,  in  effect  we 
are  saying  that  Alice  is  trusted  on  Bob  stating  that  he  wishes  a  million  dollars  to 
be  withdraw  n  from  accounti  and  deposited  into  account2>  If  Alice  says  Bob  says 
withdraw^  a  million  dollars  from  accoant\  and  depiosit  it  into  account 2,  we  will 
conclude  that  Bob  lias  made  the  request.  Using  the  Rep  Says  rule  in  Figure  4 
we  can  conclude: 

Alice  reps  Bob  on  {{xuithdraw  $10^’.  accownq  )  A  {deposit  $  10^ ,  ac<;oMri<2) ) 

Alice  I  Bob  says  {{withdraw  accounti)  A  {deposit  $10^,  accourUi)) 

Bob  says  {{withdraw  $10^,  accottnti )  A  {deposit  $10®.  arcourif2)). 


5  An  Extended  Example 

In  this  section  we  describe  a  hypothetical  example  CONORS  for  joint  opc'i  ations 
where  Joint  T('rminal  Air  Controllers  (JTACs)  on  the  ground  identify  targets  and 
recpiest  they  be  destroyed.  Requests  are  relayed  to  a  theater  command  author¬ 
ity  (TCA)  by  controllers  in  Airborne  Early  Warning  and  Control  (AEW&C) 
aircraft.  If  approved  by  commanders,  AEW&C  controllers  direct  aircraft  to  de¬ 
stroy  the  identified  target.  To  avoid  threats  due  to  coiniiroiiiised  conununications 
and  control,  the  CONORS  specifies  the  use  of  a  mission  validation  appliance 
(MVA)  to  authenticate  requests  and  orders.  What  follows  is  a  more  detailed 
informal  description  of  the  scenario  followed  by  a  formalization  and  analysis  of 
the  CONORS. 

5.1  Scenario  Description 

The  secpience  of  requests  and  api)i‘ovals  is  as  follows: 

1.  At  the  squad  level,  Joint  Terminal  Air  Controllers  (JTACs)  are  authorized 
to  recpK'st  air  strikes  against  enemy  targets  in  real  time. 

2.  Requests  are  n'layed  to  theater  command  authorities  (TCAs)  by  Airborne 
Early  Warning  and  Control  (AEW&C)  controllers. 

3.  Requested  air  strikes  are  ajii^roved  by  TCAs.  These  coinnianders  are  geo¬ 
graphically  distant  from  the  squad  requesting  an  air  strike. 

4.  Command  and  control  is  provided  by  AEW&C  aircraft  operating  close  to 
the  squad  requesting  an  air  strike. 


PoIicv-Ba,sed  Design  and  Wrific  at  ion  for  Mission  Assnraiu  r 


Threat  Aroidnace.  For  mission  security  and  intc'grity,  JTACs,  AE\\<fw:C  con¬ 
trollers,  pilots,  (ind  d'CAs  use  a  rtiisslon  validation  appliance  (MVA)  to  request, 
transmit,  autlientuatc*,  and  authorize  air  strikes.  MVAs  are  envisioned  to  1k' 
iisc'd  as  follows: 

1.  JTACs  will  use  MVAs  to  transmit  air  .strike  recjnests  to  AFAVfrC  controlkTs. 

2.  AEWWC  (‘ontrollers  use  MVAs  to  (a)  authenticate  JTACs,  and  (h)  pass 
along  JTAC  n'ciuests  to  TCAs. 

3.  TCAs  use  M\^\s  to  (a)  authenticate  JTACs  and  AE\V<k!C  controllers,  and 
(b)  .send  air  strike'  authorizations  to  AEWtVC  controllers. 

1.  APAVtVC  controllers  use'  MV^As  te)  transmit  air  strike  orelers  te)  pilots. 

Sei'untii  and  Integrity  Requireinents.  The  CO\Cl\S  fe)r  using  MVAs  must  niee't 
the'  folle)wing  se'curity  and  inte'grity  re'epiirements. 

All  re'cpK'sts.  e*e)nnnanels.  aiiel  aj)proval.s  must  be  aut hent  icate'el.  No  voice 
conininuicaiions  will  be  nsed.  This  inediiele's  at  a  miniinmn: 

•  All  per.soniiel  are  to  be  authe'nti(‘ate'el  inte)  iiiissieMi  reJe's,  i.e*.,  jednt  tea  ini- 
iial  air  cont  roller  (JTAC),  airben  ne'  e'arly  warning  anel  e*e)ntre)lle'r  (AEWAT’) 
e ontreJle'r,  pile)t,  theate'i*  e*ommanel  authe>ritv  (TCA)  ,  anel  se'emritv  e)fHe-e'r 

(SO). 

•  All  e‘e)mmimication.s,  commands,  and  appre)vals  are'  te)  be  eneaypte'el  anel 
signeel  fe)r  integrity. 

All  aircraft  pile)ts  receive'  their  ehre'ctie)ns  fre)m  AE\W(’  (‘e)ntre)llers  anel  can 
only  ae  t  with  the  appre)val  e)f  the  TCA. 

All  ke'ys,  e*e'rt ifie-ate's,  and  ele'legatie:)ns.  i.e'..  the  fe)imelatie)n  fea*  trn.st,  must  be' 
prote'cte'el  fre)ni  e*e)rrni)t  ion  ehiring  e)peratie)ns.  Only  pe'rse)nne'l  with  pre)pe'r 
inte'grity  le'vels  are'  alle)we'el  te)  establish  e)r  ine)elify  the'  fomieiatie)n  e)f  trust. 


5.2  An  Example  CONOPS 

MVA  Use  Casts.  We  e‘e)nsieler  two  use  case's .  The  first  use'  e‘ase  shows  he)w  MVAs 
are  u.sed  whe'ii  an  air  strike  is  re'epieste'el  by  a  JTAC.  Fhe  seconel  use  case  shows 
how  MVAs  are'  iise'el  when  a  TCA  e)rele'rs  an  air  strike.  Figure'  6  illustrates  the'  flow 
e)f  re'eiucsts  start  ing  from  Alice'  as  JTAC,  through  Be)l)  as  Ce3ntre)ll(_'r.  resulting  in 
an  authenticated  re'ciuest  te)  Care)l  as  J'CA.  The'  pre)e*e.s*s  starts  with  Alice  using 
he'r  token  Token  to  aiithe'iitie  ate'  he'rsc'lf  anel  her  re'epie'st  tej)  the  JTAC  MVA. 


Fig.  6.  Roque.st  Use  Case' 


131 


S,-K,  Chin  ot  ah 


Table  1.  Requests  and  Relayed  Rc'ci nests 


Statement 

Formal  Representation 

request  1 

{Token Alice  1  JTAC)  says  {strike,  tar(j(  t) 

relay  1 

{Ia  iTAC-MVA  1  JTAC)  says  {strike,  target) 

authenticated 
le^qiK'st  1 

JTAC  says  {strike,  target) 

request  2 

{Token Bob  |  Controller)  says  {JTAC  says  {strih  ,  target)) 

relay  2 

{K  Controller- MVA  \  Controller)  says  {JTAC  says  {strike,  tar  git)) 

authenticate'd 
request  2 

Controller  says  {JTAC  says  {strike, target)) 

© 

Card 

© 

Bob 

© 

Bob 

Token, 

t 

, Token, 

I  authenticated 
order  1 

tca] _ ^ 

MVA  1  jy 

Controller  f  ~  _ 
MVA 

- i  k _ J 

Controller 

MVA 

relay  3 


Fig.  7.  Order  Use  Case 


Table  2.  Orders  and  Relayed  Orders 


Statement 

Formal  Representation 

order  1 

{Tokencaroi  \  TCA)  says  {strike,  targi  t) 

rt'lay  3 

{Ktca  MVA  1  TCA)  says  {strike,  target) 

autheuticat('d 
order  1 

TCA  says  {strike,  targd) 

order  2 

{Token-Bob  |  Controller)  says  {TCA  says  {sti'ikeAargi.t)) 

rt'lay  4 

{h'contraih  r-MVA  |  Controller)  says  {TCA  says  {strike,  target)) 

authenticated 
order  2 

Controller  says  {TCA  says  {strike,  targd)) 

The  JTAC  MVA  HUtlienI  ieati's  Alice  and  her  role,  and  relays  Alice’s  request  using 
its  key.  jtac-mva  R>  Controller  MVA.  The  Controller  MVA  anthent  ieates 
the  .MAC  MV^A  and  presents  the  authenticated  request  to  Bob, 

Should  Bob  deckle  to  pass  on  Alice’s  rc'cpiest.  he  uses  his  tok<'n  to  autheiiticate 
himself  to  tin*  Controller  MVA,  which  relays  his  request  to  the  TCA  MVA,  wln(  h 
presents  the  authenticated  request  to  Carol,  a  Theater  Command  Authorit}'. 
Table  1  lists  the  formal  representation  of  eaeh  n'quest,  relayed  request,  an<l 
authenticated  request  in  Figure'  G. 

Figure'  7  shows  a  similar  fle)w  of  orelers  starting  from  Cared  as  TCA,  through 
Be)b  as  Controller,  re'sultiiig  in  an  authe'nticatecl  oreler  to  Dan  as  Pilot.  Carol 
anthent  ieates  heuself  to  the  TCA  MCA  using  her  te)ken.  Her  euelers  are  relayed  to 
Bob.  When  Bed)  elf'e'ieles  to  pass  on  the  order  to  Dan,  he  doe's  so  by  authentieating 
himself  te)  the  Controller  MVA,  whieh  relays  to  orders  te)  Dan  via  the  Pilot  MVA. 
The  fe)rniulatioii  of  each  order  and  relaye'd  order  is  shown  in  Table  2. 


Policv-Ba.sed  l)e^^ign  and  Verificat  ion  for  Mission  Assiiraiu 


i:r) 


©  © 
Person  Another  person 


(^Token  quoting  Rote  says  s  -- 


Key  quoting  Rote  says  s  J 


Fig.  8.  CJeneral  Pairing  of  MVAs 


Table  3.  Statements  and  Htdayt^l  Slatenunits 


Statement 

Formal  Representation 

stateiiH'iit 

(Token  \  llotr)  says  ^ 

relayed  .statianent 

(I\M\'A  1  1  Rolf  )  says  y:? 

ant lu'iiticated  slaleni(*nt 

Rote  says  ^ 

Dtducnuj  PoUciis,  (Wtificalwris.  Delegations,  and  Trust  Assumptions.  Ibisi'd 
on  tli('  ns(*  cast's  for  air  strike  rt'qiK^sts  and  air  strike'  orders.  \v('  dott'riniiK'  what 
policies,  certifications,  dek'gations,  and  trust  assnnipt  ions  are  required  to  justify 
each  MVA  action  in  the  (X)N()PS.  WV  look  at  each  MVA's  input  and  output, 
<uid  l)a.s(*d  on  tlie  CONOPS.  infer  what  policies,  certifications,  (h'legat ions,  and 
tni.st  assnnipt  ions  are  required.  VVe  look  for  rcpc'atcd  patt(*rns  of  l)(*havior  that 
h'ad  to  rep(*at('d  patterns  of  n'asoning.  Both  use  cases  exhibit  the  same  pattern 
of  h('havior  as  illnstrat(‘d  in  Figure'  8  and  fonnnlated  in  Table*  3. 

1.  A  person  ant  In'iiticates  herself  and  claims  a  role  using  a  token.  Acting  in  a 
role,  the  pe'rson  makes  a  statement  (rexpiest  or  order).  J  he  first  MVA,  M\A 
/.  anth(*nticat('s  both  the*  per.son  and  the  role*,  and  tla’ii  re'lays  th(^  stale'iiu'iit 
using  its  k('y  to  the*  se'cond  MVA,  M\A  2. 

2.  MVA  2  authentie'ates  MVA  1  and  the  role  it  is  scTving,  then  passes  tiie 
.stati'inent  up  to  the'  pe'r.son  using  MVA  2. 

(liven  the  repeated  ])attern,  \v(*  prove  two  derived  infeirnee  rules  (MVA  1  and 
3/1/1  2)  that  jn.stify  the  behavior  of  M\A  1  and  3/1/1  2. 


{Tuht  n  I  Ilo!c)  says  ^ 

K  \„ih  says  (Prrs<}H  reps  Role  on  y';) 
f^Auth  says  {Token  f^rison) 
Atiifj  controls  {Ppr.son  reps  Roh  on 
Autk  controls  (Y'oA’en  ^  Person) 
_ RAufh  .'\uth _ 

I  Role  says  ^ 


(/'“a/v  .\i  1  Rolf  )  says  y: 

RAuth  says  {  .M\  '  A  i  reps  Role  on  vr-) 
h'Auth  says  ( /\Ar\- .-ij  =>•  M\'Ai) 

Auth  controls  (MWAi  reps  Ruh  on 
Auth  controls  {Km  \  ,4  j  =>  M\‘A\) 

.  K.y.ah  ^  Auth 

M  \  a  if - — - 

Role  says  ^ 

Both  rules  have  the  .same  coni])onents.  as  shown  in  Table  1.  The  eonijaiiu'iits 
hav('  the  following  fnnetions: 


136 


S.-K.  Chin  ct  al. 


Table  4.  MVA  Inputs,  Outputs,  Certificates,  Jurisdiction,  and  Trust  Assumptions 


Item 

Formula 

Input 

( Token  or  Key  \  Role)  says 

Delegation  Certificate 

KAnth  says  {Person  or  Object  reps  Role  on 

Key  Certificate 

KAuth  says  {Token  or  Key  =>  Person  or  Object) 

Jurisdiction 

Auth  controls  {Person  or  Object  reps  Role  on  if) 

.Juri.sdiction 

Auth  controls  ( Token  or  Key  =>  Person  or  Object) 

Trust  Assumption 

RauHi  ^  Auth 

1.  input:  a  token  or  key  quoting  a  role 

2.  ccrtijicate:  a  certificate  authorizing  a  delegation 

3.  ceiiific.ate:  a  public  key  certificate 

4.  jurisdiction:  an  avSsuini)tiori  about  an  aiitliority’.s  jurisdiction  to  authorize  a 
person  or  MVA  to  act  in  a  role 

5.  junsdiction:  an  assunii)tion  about  an  authority’s  jurisdiction  over  keys 

6.  tj'ust  assumption:  knowledge  of  the  trusted  authority's  key 

Both  rules  have  nearly  identical  proofs  that  are  direct  applit'ation  of  inference 
rules  described  in  Section  3.3. 

Using  the  iiiferenee  rule  MVA  i,  we  easily  prove  the  following  ruk*  for  the  TCA 
MVA  authenticating  Carol  and  validating  her  order  for  an  air  strike,  where  SO 
is  the  Secm'ity  Ojjicer  role,  the  SO  has  jurisdiction  over  roles  and  keys,  and  Ks 
is  the  key  that  speaks  for  the  SO. 


TCA -MVA 


Token  Carol  \TC  A  says  {strike^  tor  get) 

Kso  says  {Carol  reps  TC'A  on  (strike,  target)) 
kCsa  says  Tokcrxcnmi  Carol 
SO  controls  Tokcncami  =>  Carol 
SO  controls  (Carol  reps  TCA  on  (strike,  target)) 
Kso  =>“  SO 

i<TCA.hiVA  I  TCA  says  (strike ,  target) 


Similar  rules  and  i)roofs  are  written  for  each  MVA.  The  above  discussion  on 
certificates  instalh'd  proj^erly  in  MVAs  leaxis  us  to  the  final  use  ca.se,  namely  the 
tiiist  establishment  use  case. 


5.3  Trust  Establishment 

Biba’s  Strict  Integrity  model  [4]  is  the  basis  for  maintaining  integrity  of  the 
MVAs.  As  Strict  Integrity  is  the  dual  of  Bell  and  LaPadiila's  confidentiality 
model  [3],  the  short  sninmary  of  Strict  Integrity  is,  no  read  down  and  no  unite 
up.  For  subjects  S  and  objects  O,  S  may  have  discretionary  read  rights  on  O 
if  O's  integrity  level  meets  or  cxcxhkIs  S's.  For  write  acc^ess,  S'  s  integrity  level 
must  meet  or  cxc(vh1  0\s. 


ilev(5)  <,  ilev(O)  D  S  controls  {iradA)) 
ilev(O)  <,  ilev(S')  D  S  controls  {write.  O). 

There  are  two  integrity  levels:  L„p  and  Lsec^  where  Lop  <i  Lsec^  All  certificates 
have  an  integrity  level  Lsec^  ilev(ccrf)  =i  Lsec-  Table  5  show  the  integrity 


F\)Ii(y-nfU>e(l  Design  and  V^erification  for  Mission  Assurance 


137 


Table  5,  Roles  and  Rights  to  Certificates 


Role 

Rights 

so  (Lsec) 
•ITAC  (Up) 
CoiitroIIor  (Lnp) 

rCA  (L„„) 

I’ilot  (L„„) 

install,  read 
read 
read 
read 
read 

k‘V(d  and  ccMlificate  hcc(‘Ss  rights  for  ('acli  role.  Strict  integrity'  is  satisficnl  a.s  oidy 
the'  security  officcT  SO  (with  the  same  integrity  level  Lscc  (‘(Ttificates)  can 
install  or  write  eertificates  into  MVAs.  Every  other  role  is  at  the'  Lop  level  and 
can  oidy  read  cert  ideates. 

Insfalliru/  hso^  Estahlishiiig  the  basis  for  trii.st  in  M\7\s  starts  with  the  installa¬ 
tion  of  th('  Svcmilij  OJfirtr's  key,  Kso-  This  is  assinnc'd  to  be  done  by  controlU'd 
physical  access  to  each  MV^A  that  is  deployed.  (Jnce  the  Sc'cnrity  Oflicta  's  key  is 
in  place',  the  certificates  that  an  MVA  needs  can  be  installed. 

C\’rtificat('  fnsfalldtum..  Siip])()S('  Erica  is  acting  as  th(’  Sc'cnritv  Officer  50.  Thc' 
poliey  is  that  sc'cnrity  oflicers  eaii  install  eertihc'atc's,  if  the  SO  has  a  high  enough 
iiilc'grity  level,  and  is  givc'ii  by 

ilev(ccr/)  <,  ilev(50)  D  SO  controls  (insfalLa  rf). 

Erica  s  authorization  to  act  in  the  Security  Oflicc'r  role  to  install  ecTtific’atc's  is 
given  by 


/v .so  says  Erica  re ps  SO  on  {instalLa  ri). 

This  anthorizatioii  is  accepted  unden*  the  assiiniption  that  Kso  Idat 

the  SO  licis  jnrisdu'tion.  which  is  given  by 

SO  controls  Erica  reps  SO  on  {nisfalL  c(  rt). 

The  proof  for  .justifying  Flrica’s  (‘apability  to  install  c('rtific‘ates  acting  as  a  Sccti- 
rity  Oflicc'r,  assuming  luT  iiitc'grity  level  is  L^^o  i^  straightforward  apidication 
of  inferc'iicc  rules  describc'd  in  Section  3.3. 


6  Related  Work 

The  accc'ss-coiitrol  logic  wc'  nsc'  is  based  on  Abadi  and  Plotkin  s  work  [5],  with 
modifications  deserihc'd  in  [()].  Many  other  logical  systems  have  bc'cn  usc'd  to 
rc'iison  about  aecc'ss  (‘ontrol.  Some  of  them  arc'  snimnarized  in  [7]. 

Onr  contribution  is  the  methodology  and  applic'ation  of  logic  to  describe  poli- 
cic's.  operations,  and  assumptions  in  CONORS.  Moreover,  we  have  iui])l(’nicntcd 
this  logic'  ill  the  IIOL-1  theon'iii  prover.  which  provides  both  an  independent 
verification  of  soundness  as  well  as  support  for  (‘oinpnter-assisted  reasoning. 


138  S.“K.  Chin  et  al. 


7  Conclusions 

Our  objective  is  the  put  usable  niatheinatical  methods  into  the  hands  of  piac- 
tieing  engineers  to  help  them  reason  about  polieies  and  eoneepts  of  operations. 
We  have  experiineiited  with  policy-based  design  and  verification  for  five  years 
in  the  US  Air  Force’s  Advanced  Course  in  Engineering  (ACE)  Cybersecurity 
Booteainps  [8].  Onr  experience  with  a  wide  variety  of  students,  practicing  engi¬ 
neers,  and  Air  Force  officers  suggests  that  using  the  access-c  ontrol  logic  meets 
this  objective. 


References 

1.  Corani,  R.:  Boyd:  The  Fighter  Pilot  who  Changed  the  Art  of  War.  Back  Bay 
Books/Little,  Brown  and  Company  (2002) 

2.  Gordon,  M.,  Mclhain,  T.:  Introduction  to  HOL:  A  Tlieoroni  Proving  Environment 
for  Higher  Order  Logic.  Cambridge  University  Prt^ss,  New  York  (1993) 

3.  Bell,  D.E.,  La  Padula,  L.J.:  Secure  computer  systems:  Mathematical  foundations. 
Toehiiieal  Report  Technical  Report  MTR-2547,  Vol.  1,  MITRE  Corporation,  Bed¬ 
ford,  MA  (March  1973) 

4.  Biba,  K.:  Integrity  considerations  for  secure  computer  systems.  Technical  Report 
MTR-3153,  MITRE  Corporation,  Bedford,  MA  (June  1975) 

5.  Abadi,  M.,  Burrows,  M.,  Lanipson,  B.,  Plotkin,  G.:  A  Calculus  for  Access  Con¬ 
trol  in  Distributed  Systems.  ACM  Transactions  on  Programming  Languages  and 
Systems  15(4),  706  734  (1993) 

G.  Chin.  S.K.,  Older,  S.:  Reasoning  about  delegation  and  aeeoiint  aeeess  in  retail  pay¬ 
ment  systems.  In:  MMM-ACNS  (2007) 

7.  Abadi,  M.:  Logic  in  access  control  (tutorial  notes),  145  165  (2009) 

8.  Chin,  S.K.,  Older,  S.:  A  rigorous  approaeh  to  teaeliing  aeeess  control.  In:  Proeeedings 
of  the  PJrst  Annual  Conference  on  Education  in  Information  Security.  ACM.  New 
York  (2006) 


Using  Equivalence  Relations  for  Corrective 
Enforcement  of  Security  Policies 


Khouiy  and  Nadia  Tawhi 


Depart ineiit  of  ( -oiiipiiter  Science  and  Software  KuRineeriiig,  l.aval  riiiversity. 
10()5,  avenue  de  la  Medecine,  Quebec  (QC).  Canada  GlV  GAG 
raphael . khoury . IQulaval . ca,  Nadia . TawbiQif t . ulaval . ca 


Abstract.  In  this  paper,  we  present  a  ik'w  fraiiunvork  of  ruiitiiiK'  s('- 
ciirity  policy  enforcement,  niiilding  on  previous  stiidi('s,  we  examine  the 
('iiforcenient  power  of  monitors  ahh'  to  transform  their  target’s  execution, 
rather  than  simply  accepting  it  if  it  is  valid,  or  al)orting  it  otherwise.  We 
bound  this  ability  by  a  re.st riction  stating  that  any  transformation  must 
preserve*  eeiuivaleiice  between  the*  monitor’s  input  and  output.  We  pro¬ 
ceed  by  giving  examples  of  meaningful  ('(piivalence  relations  and  identify 
the*  security  policies  that  are  enforceable  with  their  use.  We  also  relate 
oiir  work  to  previous  findings  in  this  field.  Finally,  wo  investigate  how  an 
a  priori  kiiowh'dge  of  th(‘  targ('t  j)rogram’s  Ixdiavior  would  increase  the 
monitor’s  enforcement  powc'r. 

Keywords:  Monitoring,  Security  Policy  Enforcement,  Program  Tians- 
formation,  inlined  ref('renc('  monitors. 


1  Introduction 

Ill  light  of  the  increasing  <oinpl('xity  and  interconiiectivity  of  iiiodc'ni  .software'. 
tluTe  is  a  growing  realization  that  formal  security  frameworks  are  needed  to  en¬ 
sure  code'  safety.  Because  they  have  soliel  tlu'orc'tie-al  mKkTi)inniiigs.  such  frame'- 
work  e'aii  provieic  a.ssiiraiue  that  the  desireel  security  policy  will  he  enforceel 
regarelless  eif  the  target  program’s  output.  One  such  formal  security  framenve)!  k. 
which  has  gaiiie'd  wide  ace*e'ptaue’c  in  recent  years  is  runtime'  memiteniug.  This 
api>roacli  te)  code  safety  se'eks  to  allew  an  im trusted  code  to  rim  safely  by  e)h- 
scrviiig  its  execution  ariel  rewtiiig  if  lu'enl  ho  te)  preve^iit  a  potential  \'iolatioii  of 
a  u.se'i-siipplie'd  sc'curity  jiolicy. 

The  monitor  i.s  mode'leei  as  an  automaton  which  takes  the  program  s  exe'cntie)n 
as  ini)iit,  anel  outputs  au  alte'niate  execution,  usually  by  truncating  the  input 
if  it  is  invalid.  Several  studies  have  fe)ciise'd  on  estal)lisliing  the  set  of  sexairity 
pe>lirie's  that  arc'  c'uforreablc'  by  monitors  operating  imeler  various  c'onstraiiits. 
This  i.s  necc'ssarv  to  best  select  the'  ai)i)icjpriate  ciiforcemeiit  meehanism  given 
the  dc'sireel  security  pe)lic*y  and  c'liforcomeiit  context.  In  this  study,  we  take  this 
framc'work  one  stc^p  further  and  examine  the  eiiforc*eincnt  power  of  monitors 
capable'  of  transforming  tlic'ir  input.  Howevc'i',  the  monitor’s  ability  to  do  so 
inn.st  he  constraincHl  lyv  a  rcHinirenieiit  to  maintain  an  c(|nivalc'iu  e  betwcc'ii  input 

I,  Kotenko  and  V'.  .Skorniin  (Eds.):  MMM-AC^NS  2010.  LNCS  ()2r)8,  pp,  I.IO  154,  2010. 

0  Springer-Verlag  Berlin  H(‘i<Iell)erg  2010 


140  R.  Khoiiry  and  N.  Tawhi 


and  output.  This  intuitively  corresponds  to  an  enforcement  paradigm,  closer  to 
one  that  would  be  encountered  in  practice,  in  which  the  actions  taken  by  the 
monitor  are  constrained  by  a  liiiiitation  that  certain  bidiaviors  present  in  the 
original  sequence  be  preserved. 

The  question  of  identifying  the  set  of  security  ix)licies  (termed  properties) 
enforceable  by  monitors  able  to  transform  invalid  executions  was  raised  several 
times  in  the  literature  [16.4,13,10].  While  these  studies  observe  that  this  ability 
considerably  extcmds  the  monitor’s  enforcement  power,  they  do  not  provide  a 
more  specific  characterization  of  the  set  of  enforceable  properties  w.r.t  equiv¬ 
alence  relations  other  than  syntactic  equality.  This  results  from  the  lack  of  a 
framework  con.straining  the  ability  of  a  monitor  to  transform  its  input.  This 
point  is  concisely  explained  by  Ligatti  et  al.  in  [13].  ''A  major  difficulty  with 
semantic  equivalence  is  its  generality:  for  any  reasonable  pioperfy  V  there  exists 
a  sufficiently  helpful  equivalence  relation  that  enables  a  secmity  automaton  to 
enforce  V" . 

Indeed,  the  authors  go  on  to  note  that  if  all  valid  s('qnences  can  be  thought  of 
as  being  e(iui valent  to  one  another,  any  security  policy  can  be  enforced  simply  by 
always  outputting  the  same  valid  arbitrarily  cho.sen  sequcnc('  for  all  inputs.  This 
strictly  meets  the  definition  of  enforcement  but  does  not  provide  a  meaiiingfnl 
enforcement  of  the  desired  policy. 

For  example,  consider  a  system  managing  online  i)urchases,  and  a  security 
policy  forbidding  a  u.scr  from  browsing  certain  merchandise  without  prei)aying.  A 
monitor  could  abort  the  execution  as  soon  as  this  is  attempted.  But  tlu'  property 
would  also  be  eiifor<‘ed  by  n'placing  the  input  secpieiice  with  any  .sequence  of 
actions  respecting  the  policy,  even  if  it  contains  i)urcha.ses  uiirecjnested  by  any 
users,  or  by  outputting  nothing,  depriving  legitimate  users  of  the  ability  to  ii.se 
the  .system. 

In  this  paper,  we  suggest  a  framework  to  study  the  enforceiiH'iit  power  of 
monitors.  The  key  insight  behind  our  work  is  to  state  certain  criteria  which 
must  be  met  for  an  equivalence  relation  to  be  useful  in  monitoring.  We  then  give 
two  examples  of  such  equivalence  relations,  and  show  which  S('curity  prop(Tties 
are  enforc<‘able  with  their  ii.se. 

The  contributions  of  this  pajier  are  as  follows:  First,  we  devcloii  a  framework 
of  enforceineiit,  termed  corrective^  enforcement  to  rea.son  about  the  enforcement 
power  of  monitors  bounded  to  produce  an  output  which  is  semantically  e(iui\^a- 
lent  to  their  input  with  re.sjiect  to  some  equivalence'  relation  =.  W’c  suggest  two 
possible  examples  of  such  relations  and  give  the  set  of  enforceable  security  poli¬ 
cies  as  well  as  examples  of  real  policies  for  each.  Finally,  we  show  that  the  set  of 
enforceable  properties  defined  in  [13]  for  effective  ('iiforcenient  can  be  considered 
as  .special  cases  of  our  more  general  framework. 

The  remainder  of  this  paper  is  organized  as  follows.  Section  2  presents  a 
review  of  related  work.  In  Section  3,  we  (h'fiiK'  some  concepts  and  notations  that 
are  used  throughout  the  paper.  In  Section  4,  we  show  under  what  conditions 
equivalence  relations  can  be  used  to  transform  sequences  and  (uisiire  the  respect 
of  the  security  policy.  The  set  of  security  policies  which  can  be  enforced  in 


Tsiiig  KtjiiivfikMico  Relations  for  Correetiv(‘  Knforeeniont  of  Seriirity  Policies 


m 


this  iiiaiiiior  is  ('XHiiiiiied  in  St'ction  5.  In  Section  6,  we  give  two  examples  of 
possible  eqiiival(Mic(*  relations  and  show  that  they  can  serve  as  th('  basis  for 
th('  enforc('ineiit  of  meaningful  security  j)roj)erties.  In  section  7,  we  invest  igaU* 
how  an  a  priori  knowdedge  of  the  target  j)rogram's  behavior  would  iiu'roitse  tlu* 
monitor's  enforcement  j)ower.  Concluding  remarks  and  avenues  for  future  work 
ar(‘  laid  out  in  Section  8, 

2  Related  Work 

S(hn(nder,  in  his  seminal  work  [10],  was  the  first  to  investigate'  th('  (]nestion  of 
which  security  j^olicies  could  Ik'  enforced  by  monitors.  He*  fe>cuseel  on  spe'cifie* 
classes  of  monitors,  which  observe  the  exe'cutie)n  of  a  target  program  with  no 
knowle'dge  of  its  pexssible  future  behavior  atid  with  no  ability  to  affect  it,  e\\e'e*pt 
by  aborting  the  exe'eaition.  Under  these  conditions,  he  foiinel  that  a  monitor  e'emlel 
enforce  the  prexase  sc'curity  pe)licies  that  are*  ideaitifiexl  in  t  he  lite'rature*  as  sajeh/ 
pre)p(Tt ies,  and  are  informally  (’haracterized  by  j)rolubiting  a  ce'rtain  bael  thing 
fre)ni  oce  nrring  in  a  given  ('xe'cntion. 

Schneider's  .study  alse)  suggeste'el  that  the  set  of  proj)ertie's  enfe)rce*able  by 
monite)rs  e‘e)ukl  be  extended  nnd(T  certain  conditions.  Building  on  this  insight, 
Ligatti,  Baner  and  Walker  [1,12]  examined  the  way  t  he  set  of  policies  ('iiforcc'able 
by  monitors  would  be  extended  if  the  monitor  had  souk*  k\iowledg('  of  its  target's 
po.ssible  behavior  or  if  its  ability  to  alter  that  behavior  were  incn'Jtsed.  'Vho  au¬ 
thors  niodifit'd  the  above  tlefinition  of  a  monitor  along  three  axes,  namely  (1)  t  lu* 
nu'aiis  at  the  disposal  of  the  monitor  in  onkT  to  ix’spond  to  a  possible  violation 
of  the  st'ciirity  policy;  (2)  wh(*ther  the  monitor  Inis  access  to  information  about 
the  program's  j^ossibk*  Ix'havioi;  and  (.‘I)  how  strictly  the  monitor  is  rcxpiin'd 
to  enforce  the  security  policy.  Consetinent ly,  they  were  abk*  to  provide  a  rich 
taxonomy  of  classes  of  sec  urity  j)ohci('s.  assoc  i at ed  with  the  ap])ropriat(*  mo(k'l 
needed  to  (Miforce  them.  Several  of  tlu'.sc*  models  an*  strictly  more  powx’rful  than 
the  sc'curity  automata  develoj)ed  by  Schneider  and  an*  used  in  prac  tice. 

Evolving  along  this  line*  of  inciiiirv,  Ligatti  et  ah  [13]  gave  a  more*  prcxisc* 
clelinition  of  the  sc*t  of  j)ro])ertic*s  enfoiTc*ablc'  by  the  most  powcTful  monitors, 
while*  Fong  [9]  and  Talhi  et  ah  [I8]  c*xpoim(lc'cl  on  the  capabilitic's  of  monitors 
opcTating  undc*r  inemoiy  c'onst  raiiits.  Hanilen  et  al.  [10]  ,  on  the  other  hand. 
.show'C'cl  that  in-lined  monitors  (whose  oi)(*ration  is  injected  into  the  targc't  pro¬ 
gram's  code*.  rathcT  than  working  in  i^arallel)  can  also  enforce  more  propc’rtic's 
than  those*  modek*d  by  a  se*curity  automaton.  In  [3],  a  mc'thod  is  given  to  en¬ 
force*  both  saf(‘ty  and  co'sajdij  ])roperties  by  monitoring.  The  set  of  pro])ertie's 
e'lilbrcexibk*  by  monitors  aided  by  static  analysis  of  the  program  is  ('xamine'd  in 
[().7].  In  [5].  Bielova  et  al.  ele*line'ate  the  se*t  of  i)r()i)('rtie*s  e'nforce*able*  by  a  mon¬ 
itor  limited  to  .suppressing  a  finite*  snb.s('(|n(*nc('  of  the  ex(*cntion  before  eithc'r 
outputting  or  ek'k'ting  them.  In  [15],  Ligatti  et  ah  propose  an  alternate,  more* 
gene*ral  model  of  monitoring,  which  inipose*s  on  the*  monitor  that  it  re'si)e)nel  to 
the*  targe*t  i)rogranrs  actions  in  lock  step. 


142  n.  KFioury  and  N.  Tawbi 


3  Preliminaries 

Let  us  briefly  start  with  some  preliminary  definitions. 

Exeeiitions  are  modeled  as  sequences  of  atomic  actions  taken  from  a  finite  or 
(‘ountably  infinite  set  of  actions  U.  The  empty  seqiien(‘e  is  noted  e,  the  set  of  all 
finite  length  seciuences  is  not(»d  Z**,  that  of  all  infinite  length  sequences  is  noted 
and  th('  set  of  all  i)ossible  sequences  is  noted  Z"^  =  Z*^  U  Z*.  Likewise,  for 
a  set  of  seciiiences  5,  S*  denote  the  finite  iterations  of  sequences  of  S  and 
that  of  infinite  iterations,  and  U  S* .  Let  r  G  Z"  and  a  G  Z^  be  two 

sequences  of  actions.  Wc  write  r;  a  for  tlu'  concatenation  of  r  and  a.  We  say  that 
r  is  a  prefix  of  a  noted  r  X  rr,  or  equivalently  rr  y  r  if J  there  exists  a  sequence 
(T^  such  that  —  a.  We  write  r  a  (resp.  rr  r)  for  r  :<  rr  A  r  ^  <t  (resp. 
(T  y  T  t\r  ^  (t).  Finally,  let  r,  (T  G  Z'^,  r  is  said  to  be  a  suffix  of  cr  iff  there  exists 
a  (j'  G  Z*  s.t.  (T  —  rr';  r. 

We  denote  by  prvf{(T)  (resp.  siLf[(T))  the  set  of  all  prefixes  (resp.  suffixes)  of 
<7.  Let  A  C  Z^  be  a  subset  of  sequences.  Abusing  the  notation,  we  let  pref(A) 
(rosp.  ,su/(^))stand!s  for  (>c«P-  [JaeA 

a  s('quenc(*  rr  is  given  as  rrj,  rr^  denotes  tli('  first  action  of  rr,  rr[L  j]  denotes  the 
se(iuen(e  occurring  between  the  and  actions  of  rr,  and  ct[/,..]  denotes  the 
remainder  of  the  scHiuence,  starting  from  action  rr,.  The  length  of  a  secpience 
r  G  Z*  is  given  as  |r|. 

A  multiset,  or  bag  [17]  is  a  generalization  of  a  set  in  which  each  element  may 
occur  multiple  times.  A  multiset  A  can  be  formally  defiiK'd  as  a  pair  (A,  /)  where 
A  is  a  set  and  /  ;  A  — +  N  is  a  function  indicating  the  uinnber  of  occurrence's 
of  eacdi  element  of  A  in  A.  Note  that  a  ^  A  <=>  f{a)  —  0.  Thus,  by  using  this 
insight,  to  define  basic  operations  on  multisets  one  can  consider  a  imivc'rsal  sed 
A  and  differc'iit  functions  of  type  A  — ^  N  associatc'd  with  it  to  form  different 
multisets. 

Ciiveii  two  multisets  A  =  (A./)  and  B  =  (A,//), the  multiset  union  AuB  = 
(A,/?)  wh(M*e  Vc7  G  A  :  h((i)  =  f{a)  -f  c;(u).  Furthermore,  A  C  B  Va  £  A  : 
f((i)  £  .(/(^)‘  removal  of  an  element  a  G  A  from  multiset  A  is  done  by 
updating  the  function  /  so  that  /(u)  =  7/m.r(/(a)  —  1,0). 

Filially,  a  security  policy  P  C  Z"^  is  a  set  of  allowed  exc'cutioiis.  A  policy 
P  is  a  property  iff  there'  exists  a  decidable  prc'dicate  P  over  the  executions  of 
Z’^  ,s.t.  C7  G  P  other  words,  a  property  is  a  policy  for  which  the 

membership  of  any  sequence  can  bc'  determinc'd  by  examining  only  the  .secpieiu  e 
itself.  Such  a  seciiience  is  said  to  he  valid  or  to  respect  the  property.  Since  all 
policies  enforceable  by  monitor.s  are  properties,  we  use  V  to  refer  to  policies  and 
their  characteristic  predicate  interchangeably.  Properties  for  which  tlu'  empty 
sequence  r  is  a  member  are  said  to  be  reasonable. 

A  number  of  classes  of  properties  have  been  defiiu'd  in  the  literature  and  arc 
of  si)ecial  interest  in  the  study  of  monitoring.  First  are  .safety  properties  [11], 
which  proscribe  that  certain  ‘bad  things"  occur  during  the  execution.  Let  Z  be 
a  set  of  actions  and  V  be  a  property,  V  is  a  safety  property  iff 


Va  G  Z^  :  -np(a)  ^  3a'  ^  a  iW  y  a  :  -P(r) 


(.saft’ty) 


Using  Kqnivaloucr  I{{'Iatious  for  (’orrc'c  t ivr  luiforcoinrut  of  Security  Poluies 


143 


Alt(M-iiativ(’Iy,  a  livnicss  property  [2]  is  a  i)rc)i)orty  prc'scribing  that  a  certain 
'‘g()o<l  tiling'’  must  oecair  in  any  valid  execution.  Formally,  for  an  action  s('t 
and  a  property  P,  P  is  a  livene>>s  property  iff 

Vrr  €  U'*  :  3r  €  ;  r  ^  rr  A  P(r)  (liveiu'ss) 

Any  propi'i'ty  ran  be  stated  as  the  conjniiction  of  a  safety  pro])eity  and  a  liv(’- 
iK'ss  property  [1].  Another  relc'vant  set  of  properties  is  that  of  infinite  renewal 
])roi)(‘rties  (rcT/cw’a/),  defined  in  [13]  to  characterize  the  st't  projierties  enforceable 
by  edit-aiitoniata  monitors  using  syntax'tii'  equality  as  the  equivalence  ndation. 
A  i)ro])(*rty  is  member  of  this  s(’t  if  every  infinite  valid  stHpuaicc'  has  infiniti'ly 
many  valid  ])refixes,  while  every  invalid  infinite  sequence  has  only  finitely  many 
such  prefix('s.  I  ornially.  for  an  action  S(‘t  A?  and  a  i)roi)iM*ty  P,  P  is  a  nniewal 
projierty  iff  it  meets  tlu'  following  two  ('qnivalent  conditions 

Vrr  £  :  P(rr)  {rr'  X  rr\'P{(T')}  is  an  injiniic  set  (nnunvab) 

Vrr  G  :  V((t)  (V<t'  <  a  :  3t  -<  rr  :  a'  -<  T  A  V{t))  (rc'iu’wahj) 

Note  that  the  (h'finition  of  ri'iu’wal  iinixises  no  rc'strictions  on  tlu’  finite  si'cpiences 
in  P.  For  infinite  s(Hpienci\s,  tlu*  s(*t  of  reiu’wal  ])ro])erties  inchules  all  safety 
properties,  some  liveiu'ss  ])rop(’ities  and  some  jiroperties  which  are  neither  safety 
nor  live  ness. 

Finally,  we  formalize  the  the  set  of  fraiLsariional  properties,  suggested  in  [13], 
which  will  be  of  n.si*  in  sc’ction  fi.l.  A  transactional  projierty  is  one  in  which 
any  valid  sc’cpu'ncc*  consists  of  a  concatenation  of  valid  finite  transactions.  Such 
properties  can  model,  for  ('xanqih*,  tlu*  behavior  of  systi‘ms  which  repc’atc'dly 
int(’racts  with  cru’iits  using  a  well  defined  i)rotocol.  snch  as  a  system  managing 
the  allo(*ation  of  rc’sonrc'c*  or  tlu*  actc'ss  to  a  database*.  L(‘t  A  be  an  action  S('t 
and  T  C  b<*  a  subset  of  finite*  transactions.  P/-  is  a  tran.sactional  propc’rty 
ov(*r  set  T  iff 

V(T  G  A^  :  Vf\(T)  er  G  7'^  (t  ransactional) 

This  d(*linition  is  subtly  difler(*nt,  and  ind(*ed  forms  a  snbs(*t,  to  that  of  ite'rative* 
I)roj)erties  defined  in  [5].  transactional  prop(*rtic*s  also  form  a  subset  to  the  s(*t 
of  renewal  ])r()perties,  and  inchuh*  some*  but  not  all  salety  properties,  liveiu'ss 
properties  as  well  as  ])ro])ert ic's  wdiich  are  neitlu*!*. 

4  Monitoring  with  Equivalence  Relations 

The  idea  of  using  cHjnivak'nce*  relations  to  transform  execution  se(|uenc‘es  was 
first  sngge’stc'd  in  (lOj.  The  ('qiiivalencc  relations  are*  re*stricteul  to  theise  that  are* 
consistrni  with  the  .se'eairitv  peilicy  under  eonsieh'ratiein.  Le*t  P  be  a  security 
peilicy.  tlu*  consist (*ncy  criterion  for  an  eeinivale’iu'e*  re'lation  ~  is  given  as: 

VeJ,eT'  G  A'^  :  er  ^  ej'  ^  V{ct)  ^  P(ej'). 


(('eaisisteiu'v) 


144 


R.  Khoury  and  N.  Tawbi 


Yet,  111)011  closer  examination,  this  criterion  seems  too  restrictive  for  onr  pur¬ 
pose’s.  If  any  two  equivalent  sequences  always  meet  this  criterion,  an  invalid 
prefix  can  iieven*  Ix'  made  valid  by  replacing  it  with  another  eciuivalent  one.  It  is 
thus  impossible  to  ‘'correct’'  an  invalid  jirefix  and  output  it. 

It  is  still  necessary  to  impose’  some  restrictions  on  equivalence  relations  and 
their  relation  to  properties.  Otherwise,  as  discussed  ahewe,  any  projie’rty  would 
1)0  enforceable,  but  not  always  in  a  meaningful  manner. 

Ill  this  pape'r,  we  suggest  the  following  alternative  framework. 

Following  jirevious  work  in  inoiiitoring  by  Fong  [9],  we  use  an  abstraction 
function  T  :  E*  ^  T.  to  capture  the  i)roperty  of  the  input  seeiiie’iice’  which  the 
inonitor  must  preserv'c  throughout  its  manipulation.  While  Fong  made  use  of 
abstractions  to  reeluee'  the  overhead  of  the  inonitor,  we  use  them  as  the’  basis 
for  our  equivalence  relations.  Siie’li  an  abstraction  can  caiiturc’  any  property 
of  relevance.  This  may  be',  for  e'xample.  the  i)resence  of  certain  subwords  or 
factors  or  any  e)tlier  semantic  jiroix^rty  of  interest.  We’  e’xjie’e’t  the  property  to  be 
coiisi.stent  with  this  abstraction  rather  than  with  the  (’qiii valence  relation  itself. 
Formally: 


jr(^)  =  ^  r(rT)  ^  P(eT')  (4.1) 

Furthermore,  we  restrict  ourselves  to  equivalence  re’lations  which  group  toge’the’r 
se’epieaice’s  fe)r  which  the  abstraetiein  is  similar.  To  this  end.  we’  le’t  <  stand  for 
some  partial  oreler  over  the  v^alues  of  T.  We  define  □  as  the  partial  order  defiiu’d 
as  Vrr, ex'  ^  E*  :  a  O  a'  ^  ^Ye  eepiivalcntly  write  er'  □  rr  and 

a  C 

The  transformation  performed  by  the  inonitor  on  a  give’ii  sequence  r  produces 
a  new  sequence  r'  s.t.  r'  □  r.  To  ease  the  monitor’s  task  in  finding  such  a  suitable 
replacement,  we  impose  the  following  two  constraints  on  the  equivalence  relations 
u.scd  ill  monitoring. 

First,  if  two  secpicnces  ar('  equivalent,  any  intermediary  .sequence  ovc’i*  C  is 
also  cfiiiivalent  to  them. 


a  Q  a'  Q  a"  A  rr  =  a"  ^  a  =  a'  (4.2) 

Second,  two  sequences  cannot  be  c(]iiiv^aleiit  if  they  do  not  share  a  comiiioii 
greatest  lower  bound. Conversely,  the  greatest  lower  bound  of  two  equivalent 
se([uences  is  also  ecpiivaleiit  to  them.  These  last  two  criteria  are  stated  together 
as: 


Vrr.  rr'  ^  E*  :  a  a  =>  3r  ^  E*  :  r  —  (a  H  a')  A  r  =  cr  (  b3) 

where  (a  D  a')  =  r  s.t.  tQctAt^  a' A  □  t  :  t'  □  (T  A  t'  C  o-') 

The  intuition  behind  tlu’  above'  two  restrictions,  is*  that,  if  an  eepiivak’iice 
restriction  meets  these  two  crite’ria.  a  monitor  looking  for  a  valid  sc’queiice  equiv¬ 
alent  to  an  invaliel  input  simply  has  to  iteratively  perform  certain  transforma¬ 
tions  until  such  a  seque'uce  is  found  or  until  every  (’ciuivalent  sequence  has  been 
examined. 


Using  Equivalence  Relations  for  Corrective  Enforcement  of  Security  P(>lic“i(\s 


M5 


We  define  oiir  (Hiiiivaleiiee  relations  over  finite  seciuences.  Two  infinite  s(‘- 
(ineneos  are  equivalent,  iff  they  have  infinitely  many  valid  equivalent  prefixes. 
Let  =  be  an  equivalence  relation  over  the  sequences  of  iT* 


Vrr.  a  G  :  c7  =  a  ^  <  (7  :  3'n  >  T  :  3r'  -<  a  :  r  =  (1.4) 

It  is  easy  to  see  that  an  equivalence^  between  infinite  .seeinence  not  meeting  this 
criterion  would  l)e  of  no  use  to  a  monitor,  which  is  bound  to  transform  its  input 
in  finite  time. 

Finally,  impose  the  following  closure  restriction: 

r  =  r'  =>  r;  er  =  r';  rr  (1.5) 

This  may.  at  first  sight,  seem  like  an  extremely  restrictive  condition  to  be  imj)ose(l 
but  in  fact  every  meaningfiil  redation  that  we  exainiiu'd  luts  this  j)ro])erty. 

Furthermore,  no  security  j^roperty  can  be  enforced  using  an  e(|nivalence  rela¬ 
tion  Un  king  this  property.  Consider  for  example  what  wonld  happen  if  a  monitor 
is  prescnt('d  with  an  invalid  ])refix  r  of  a  longc'r  in])iit  secjiience  for  which  there 
exists  a  valid  e(|nivalent  secinence  r'.  It  wonld  be  natural  for  tin'  monitor  to 
transform  r  into  r'.  Yet  it  wonld  also  be  possible  that  the  full  original  sequence 
(7  >  T  be  actually  valid,  but  that  there  exists  no  equivalent  sequence  for  whk  h 
r'  is  a  |)refix. 

In  fact,  □  organizes  the  s('(|neiices  according  to  soiik'  semantic  framework, 
using  values  given  by  an  abstraction  function  !Fs  V  estaltlishes  that  only  certain 
value's  of  JT  are  valid  or  that  a  cc'rtain  threshold  must  Ih'  reached,  while  =  groups 
the  sequences  if  their  abstractions  are  ecinivalent.  In  section  G,  we  give  examples 
that  show  how  the  framework  describc'd  in  this  section  can  l)e  used  to  niodc'l 
desirable  security  properties  of  i)rograms  and  meaningfiil  ('(piivalence  relations 
between  their  executions. 

5  Corrective  Enforcement 

In  this  section,  w('  jiresent  the  automata-basc'd  niodc'l  usc'd  to  study  th('  enforcc'- 
ment  inechanism,  and  give' a  more'  formal  definition  of  our  notion  of  enforcement. 

The  ('dit  automaton  [4,13]  is  the  most  genc'ral  niodc'l  of  a  monitor.  It  capture's 
the  behavior  of  a  monitor  cajiable  of  in.serting  or  sujijnessing  any  action,  as  well 
a.s  halting  th('  ('xeention  in  progress. 

Definition  1.  An  tdif  aufovinfon  is  a  fnplc  {E,  Q,  (j{).  6)  : 

—  E  is  a  finite  or  countably  infinite  set  of  actions: 

Q  is  a  finite  or  countably  infinite  set  of  states: 
qo  e  Q  is  the  initial  state: 

S  :  (Q  X  E)  (Q  X  E"^)  is  the  transition  function,  which,  qiven  the  cur- 
rent  state  and  input  action,  specifics  the  automat  on's  output  and  imcce.Hsor 


^  This  definition,  taken  from  [18].  is  ecjiiivaleiit  to  the  one  given  in  [4]. 


146  R.  Khoury  and  N.  Tawhi 


state.  At  amj  .*itep.  the  automaton  may  accept  the  action  and  output  it  intact, 
suppress  it  and  move  on  to  the  next  action,  output  nothing,  or'  output  some 
other  sequence  in  .  If  at  a  given  state  the  transition  for  a  given  action  is 
undefined,  the  automaton  aboris. 

Lot  A  be  an  edit  aiitoinaton,  wo  lot  A{(t)  he  the  output  of  A  wlu'ii  its  input  is  (t. 

Most  studies  on  this  topio  havo  focused  on  effective  enforcement.  A  ineclianisin 
offootively  enforocs  ci  security  property  iff  it  respects  the  two  following  principles, 
from  [4]: 

L  Soundncs.s  :  All  output  iniist  respect  the  desired  property. 

2.  Tran.sparcncg  :  The  semantics  of  executions  which  already  respect  the  prop¬ 
erty  must  be  preserved.  This  naturally  requires  the  use  of  an  equivalence 
relation,  stating  when  one  sequence  can  be  substituted  for  another. 

Definition  2.  Let  A  be  an  edit  automaton.  A  effectively^  enforces  the  properiy 
Viff^aeE^ 

/.  ^(^(0-))  (Le.  A{(t)  is  valid) 

2.  V{o-)  =>  A{(t)  ~  a 

In  the  literature,  the  only  equivalc'iice  relation  =  for  which  the  set  of  effecti¬ 
vely^  oiiforcoablo  properties  has  boon  formally  studied  is  syntactic  e(piality[4]. 
Yet,  offootivo  enforcement  is  only  one  paradigm  of  enforcement  which  has  been 
siiggested.  Other  enforcement  paradigms  include  precise  enforcenieiit[4],  all-or- 
nothing  delayed  enforcement [5]  or  coiiserviitive  (Miforeement[4]. 

In  this  .study,  we  introduce  a  new  paradigm  of  security  property  eiiforcx'inent, 
termed  corrective^,  eiiforceinent.  An  enforeeiiient  mechanism  correctively^  en¬ 
forces  the  (h'sirecl  property  if  every  output  secpieiice  is  l)Ot  h  valid  and  equivalent 
to  the  input  sequence.  This  captures  the  intuition  that  the  monitor  is  both  re¬ 
quired  to  output  a  valid  sequence,  and  forbidden  from  altering  the  semantics  of 
the  input  sequence.  Indeed,  it  is  not  always  rctisonable  to  accept .  as  do  preceding 
studies  of  monitor's  eiiforeemeiit  power,  that  tlu'  monitor  is  allowed  to  replace 
an  invalid  execution  with  any  valid  secpieiice,  even  c,  A  more  intuitive  model 
of  the  d(\sired  behavior  of  a  monitor  would  rather  require  that  only  minimal 
alterations  be  made  to  an  invalid  sequence,  for  instance  by  releasing  a  re.soiirce 
or  adding  an  entry  in  a  log.  Those  parts  of  the  input  sequence  which  are  valid, 
should  be  preserved  in  the  output,  while  invalid  behaviors  should  be  corrected 
or  removed.  It  is  precisely  these  corrective  behaviors  that  we  s('ek  to  model  u.s- 
ing  our  equivalence  relations.  The  (uiforceinent  paradigm  thus  ensures  that  the 
output  is  always  valid,  and  that  all  valid  behavior  intended  by  the  user  in  the 
input,  is  pre.sent  in  the  monitor‘s  output. 

Definition  3.  Let  A  be  an  edit  automaton.  A  correct ivelv'^  enforces  the  property 
Viff'^oeE^ 

1.  ViAicr)) 

2.  A{(r)  S  (T 


losing  Equivalonco  Relations  for  Corrective  Enforcement  of  Security  Policies 


147 


A  monitor  can  correctively^  enforce  a  j)roj)erly  iff  for  every  possil)le  sequence' 
there  exists  an  equivalent  valid  sequence  whicli  is  eitlier  finite  or  has  infinitely 
niany  valid  prefixes,  and  tlu'  transforniation  into  this  sequence  is  coniputahle. 

Theorem  1.  A  property  V  is  convdively^  cnfoireahle  ijj 

L  3V'  :  (V'  C  p)  A  {V'  C  Bi  m  wal) 

2.  V  is  rvasonahlc 

S.  There  exists  a  computable  function  7  :  ^  T’'  :  Ver  G  :  7(<7)  =  a, 

4.  Ver'  ;-<  (7  :  7((7')  :<  7(ct) 


Proof.  (=>  direction) 

By  construction  of  the'  follewing  automaton.  A  =  {}J.Q.q[).S)  wlu're 

—  Q  =  U* .  the  secpienee  of  ae  tions  se'C'ii  so  far. 

—  (Io  =  f 

—  The  transition  function  5  is  given  as  6{(T,a)  =  (<7;  a,  <7'),  wlic're  rr  —  r/:  r  and 
7(rr;  0)  =  7(cr):  <7' 

Note  that  from  condition  3  of  tlu'orem  1  we  have'  that  '){cT:n)  is  always 
elcfined,  and  fre^m  conelitie)n  4  that  it  will  take'  the  recursive  form  ele'scribe'el 
ahe:)ve'. 

The’  automaton  maintains  tlie'  fe)lle)wing  invariants  lN\'(c|):  At  state  q  =  a.  7(<7) 
has  bee'll  enitput  se>  far,  this  outj>iil  is  valid  and  e'qiiivale'iit  te)  a. 

The’  invariant  hedels  initially,  as  by  elefinitie)n.  r  is  valiel  aiiel  eupiivalent  te)  itself. 
An  induction  can  tlie'ii  show  that  the'  invariant  is  jn’escrve'el  by  the'  transitiein 
re'latie)!!. 

elire'ctiein)  Let  7((7)  be  whatever  the  aute)mate)n  outputs  ein  input  <7.  liy 
elefiiiitie)!!.  7  is  a  cejinpiitable  function.  Furthermore,  we  have  that  V{a)  and 

\\V  ii(‘<'(l  to  show  that  the  image  of  7  is  a  pro])('rtv  V  iiielndcd  in  V  and 
in  renewal.  That  the'  image'  e>f  7  is  a  subset  of  V  follows  trivially  from  tlie' 
a.ssinnptions  V<7  €  :  V{A{(7)).  Furth('rnie)re,  we're'  the  eiutpnt  ne)t  in  renenval. 

it  weiulel  iiiclneie  valid  sequence's  witli  only  finitely  many  valiel  prefixes.  Ye't, 
since  the  aiitomatoirs  transition  fnnetion  is  re'stricteel  to  output ing  finite  valiel 
sequences  by  the  requirement  that  the  finite  input  be  equivalent  tei  tlie  output 
aiiei  equatieni  4.4  ,  this  is  iinpeissible.  It  feDllows  tliat  the  image  of  7  is  a  subset 
of  V  anel  renewal.  It  is  also  easy  to  sec  that  V{f).  since  if  it  were  not  the  case, 
a  violatie)!!  would  oee’iir  e've'ii  in  the  ab.sene'e  of  any  input  action.  Finally,  siiu’e 
7  is  apjdie'el  re'cnrsively  to  eve'iy  prefix  of  the  input,  it  is  thus  unavoidable  that 
V<7'  ^  a  :  7(<7')  :<  'y{<7).  □ 

An  equivalence  relation  =  ovc'i*  a  given  set  E*  (an  b('  .s('('n  as  a  set  of  pairs 
(.7% /y),  with  j*,  ?y  €  E* .  This  allows  ('quivalence  relations  over  the  same  sets  to  be 
compared.  Relation  =1  is  a  refinement  of  relation  =2.  not('d  =i<  =2  if  the  set 
of  pairs  in  =1  is  a  strict  sul>set  of  tlio.se  in  =2- 


148  R.  Khoiiry  and  N.  Tawbi 


Theorem  2.  Let  =i,  =2  be  tv)o  equivalence  relations  and  let  enforeeable^  stand 
for  the  set  of  properties  which  are  eorreetively^  enforceable,  then  we  have  =  i<  =2 
=>  enf orceable^^  C  enforceable^^. 

Proof.  It  is  easy  to  see  that  any  property  which  is  correctively^^  enforceable  is 
also  correctively ^2  enforceable,  since  every  pair  of  sequence  that  are  equivalent 
w.r.t.  are  also  equivalent  w.r.t.  =2-  The  property  can  thus  be  correct ively^^ 
forced  using  the  same  transformation  function  7  as  was  used  in  its  correctively^, 
enforcenieiit. 

Let  [a]^  stand  for  the  set  of  sequences  equivalent  to  a  with  respect  to  relation 
=.  By  assumption,  there  is  a  a  s.t.  C  ^  property  defined 

s.t.  ^  T  ^  This  property  is  not  correctively^,  enforceable  as  there 

exists  no  valid  equivalent  sequences  which  the  monitor  can  outi^ut  when  its  input 
is  a.  The  ])roperty  can  be  correctively ^2  (enforced  by  outputting  a  sequence  in 
when  the  input  is  a.  □ 

It  follows  from  this  theorem  that  the  coarser  the  equivalence  relation  used  by 
the  monitor  is,  the  greater  the  set  of  (uiforceable^  properties. 

The  following  lemma  is  used  in  setting  an  iipj^er  bound  to  the  set  of  enforceable 
properties. 

Lemma  3.  Let  =  be  an  equivalence  relation  and  V  be  some  eoneetwely^  en¬ 
forceable  property.  Then,  for  all  s.t.  'PC  P^  we  have  that  V  ’  is  coTTcctively^ 
enforceable. 

The  monitor  has  only  to  simulate  it\s  enforcement  of  P  in  order  to  correct ively<^ 
enforce  P\ 


6  Equivalence  Relations 

111  this  section,  we  consider  two  examples  of  the  equivalence  relation  =,  and 
examine  the  set  of  projierties  enforceable  by  each. 

6.1  Factor  Equivalence 

The  first  equivalence  relation  we  will  consider  is  factor  equivalence,  which  mod¬ 
els  the  class  of  transactional  proj^ertu^s  introduced  in  section  3.  A  word  r  £  E* 
is  a  factor  of  a  word  uj  £  if  cj  =  with  d  £  E*  and  ?/  £  E^.  Two 

sequences  r,  r'  are  factor  equivalent,  w.r.t.  a  given  set  of  valid  factors  T  C  E*  ii 
they  both  contain  the  same  multiset  of  factors  from  T.  We  use  a  multiset  rather 
than  simply  comparing  the  set  of  factors  from  T  occurring  in  each  sequence  so  as 
to  be  able  to  distinguish  between  sequences  containing  a  different  number  of  oc¬ 
currences  of  the  same  subset  of  factors.  This  captures  the  intuition  that  if  certain 
valid  transactions  are  present  in  the  input  sequence,  they  must  still  be  present 
ill  the  output  s(K|uence,  regardless  of  any  other  transformation  made  to  ensure 
compliance  with  the  security  property.  In  this  context,  the  desired  behavior  of 


Using  Equivalence  Relations  for  Corrective  Enforccinont  of  Security  Policies  1 19 

the  system  can  be  defined  by  a  multiset  of  valid  transactions.  A  valid  run  of  this 
system  consists  of  a  finite  or  infinite  sequence  of  well-formed  transactions,  while' 
an  invalid  sequence  is  a  sequence  containing  malformed  or  incomplete  transac¬ 
tions.  One  may  reasonably  consider  all  sequences  exhibiting  the  same  multiset  of 
valid  transactions  to  be  equivalent  to  each  other.  Transactional  properties  form 
a  subset  to  the  class  of  renewal  properties  which  can  be  effect ively=  enforced 
[13],  wiiich  allows  the  longt'st  valid  prefix  to  be  output  [14].  In  [5],  Bielova  et  al. 
propose  an  alternate  enforcement  paradigm,  which  allows  all  valid  transactions 
to  be  output.  Corri'C’tivec  enforcement  can  l)c  seen  as  a  generalization  of  their 
work. 

Let  valid'r{(7),  w4iich  stand  for  the  multiset  of  factors  of  from  the  sequence 
a  which  are  present  in  T,  be  the  abstraction  function  T ,  The  partial  order  Q 
used  to  correctively  enforce  this  property  is  thus  given  as  Vrr.  cr'  €  :  a  C 

rr'  valid'T{(j)  C  v(dUlr{a').  This  partial  order  captures  the  intuition  that  any 
valid  tran.saction  present  in  the  original  se(iuence  must  also  be  present  in  the 
monitor‘'s  output. 

For  example,  let  E  =  {open,  close,  log}  be  a  set  of  atomic  actions  and 
let  T  =  {open;  log;  close)  be  the  set  containing  the  only  allowed  transac¬ 
tion.  If  the  input  sequence  is  giv^en  as  rr  =  log;  open;  log;  close:  log:  open; 
close:  open;  log;  close,  then  ral.idj-{a)  is  the  nniltisc’t  containing  two  instances 
of  the  factor  open;  log;  close. 

Intuitively,  a  sequence  is  smaller  than  another  on  the  partial  order  if  it  has 
strictly  fewer  transactions,  and  two  sequences  are  eciiiivaleiit  if  they  share  the 
same  valid  transactions. 

\VV'  now  turn  our  attention  to  the  set  of  propc'rties  that  are  correctively^.^ 
enforceable.  Intuitively,  a  monitor  can  enforce  this  pro|)erty  by  first  suppressing 
the  execution  until  it  has  seen  a  factor  in  T.  at  which  point  the  factor  is  out¬ 
put,  while  any  invalid  transac  tion  is  suppres.sed.  This  iiK'thod  of  enforcement  is 
analogous  to  the  one  dc'seribed  in  [5]  as  delayed  all-or-nothing  enforcement.  Any 
sc'cinence  output  in  this  manner  would  |)reserv('  all  its  factors  in  T,  and  thus  be 
ec|nivalent  to  the  input  seqnenc'e,  but  is  composed  of  a  concatenation  of  fac  tors 
from  T,  and  hence  is  valid. 

Let  T  G  E*  be  a  .sc‘t  of  factors  and  let  Vr  a  transacM  ional  property  as  defined 
ill  section  3.  Note  first  that  all  properties  enforceable  by  this  approach  are  in 
renewal,  ^is  thc'v  arc'  formed  by  a  concatenation  of  valid  finite  sequenc  es.  Also, 
the  property  necessarily  must  be  reasonable,  (i.e.  V{f))  as  the  monitor  will  not 
output  anything  if  the  input  sc'qiience  docs  not  contain  any  factors  in  T.  Finally, 
for  the  property  Vj-  to  be  correctively^^  enforceable  in  the  manner  described 
above,  the  following  restriction,  tc'rmed  unambigiiity  must  be  imposed  on  T: 


V(T.  ct'  G  T  ;  Vr  G  />rr/(cT)  ;  Vr'  G  suf{(7')  :  r  ^  f  /\t*  ^  e  ^  ^  T 

(imambiguity) 

To  understand  why  this  rc'striction  is  necessary,  consider  what  would  happen  in 
its  ab.sence:  it  would  be  possible  for  the  monitor  to  receive  Jis  input  a  secpience 
which  can  be  parsed  either  as  the  concatenation  of  some  valid  transactions,  or  as 


150  R.  Klioury  and  N.  Tawbi 


a  different  valid  transaction  bracketed  with  invalid  factors.  That  is,  let  (Ti  ;  <^2  = 
be  the  iiioiiitor’s  input,  with  <ti,(T2,<T3  E  T  and  T\^T2  ^  T.  If  the 
monitor  interprets  the  sequence  as  a  concatenation  of  the  valid  transactions  ai 
and  (72,  then  it  has  to  preserve  both  factors  in  its  oiiti)ut.  However,  if  it  ])arses  the 
sequence  as  t\  ;  (T3;  r2,  then  it  must  output  only  the  equivalence  sequence  Since 
the  two  sequences  are  syntactically  identical,  the  monitor  has  no  information  of 
which  to  base  such  a  decision. 

Theorem  4.  A  pjvperty  Vr  correctively^^  enforceable  if  it  is  transactionaf 
reasonable,  and  T  is  unambiguous. 

Proof.  The  proof  has  been  omitted  out  of  space  (•onsiderations.  It  is  available 
from  the  authors  upon  request.  □ 

We  have  only  to  refer  to  lemma  3  in  order  to  state  a  precise  upper  bound  to  the 
set  of  enforceable  properties. 

Theorem  5.  A  property  V  is  corrective ly^.^.  enforceable  iff  Vr  ^  V  and  T  is 
unambiguous. 

Proof.  The  i)roof  has  been  omitted  out  of  space  considerations.  It  is  available 
from  the  authors  upon  request.  □ 


6.2  Prefix  Equivalence 

In  this  section,  we  show  that  Ligatti  et  al.’s  result  from  [13],  namely  that  the 
set  of  properties  effectively^^  enforceable  by  an  ('dit  automaton  corresponds  to 
the  set  of  reasonable  renewal  properties  with  a  computability  restriction  added^, 
can  be  stated  as  a  spc^cial  case  of  our  framework. 

First,  we  need  to  align  onr  definitions  of  enforcement.  Using  effective  enforce¬ 
ment,  tlu'y  only  rc'qiiirc  that  the  monitor’s  output  be  equivalent  to  its  input  when 
the  latter  is  valid,  and  while  placing  no  such  restriction  011  the  output  otherwise. 
Th('  semantics  of  their  monitor  however,  do  impose  that  the  output  remain  a 
prefix  of  the  input  in  all  cases,  and  indeed,  that  the  longest  valid  pn^fix  always 
be  output  (see  [8]).  This  characterization  can  be  translated  in  onr  formalism  by 

instantiating  ~  to  V<7,  a'  ^  :  a  cr'  prc  f{o')  fl  P  =  prcf{a^)  D  V. 

Using  this  relation,  two  sequences  are  equivalent,  w.r.t.  a  given  property  V  iff 
they  have  the  same  set  of  valid  prefixes. 

Theorem  6.  A  property  V  is  effectively^  enforceable  iff  it  is  correctively^^  ^ 
enforceable. 

^  Actually,  the  authors  identified  a  corner  case  in  which  a  property  not  in  the  set 
described  above.  This  occurs  when  the  monitor  reaches  a  point  where  only  one  valid 
continuation  Ls  pos.sible.  The  input  can  then  be  ignored  and  this  single  continuation 
is  output.  We  have  neglected  to  disens.s  this  case  here  as  it  adds  comparatively  little 
to  the  range  of  enforceable  properties. 


I 'Siiig  h>|uivaIonce  Relations  for  Corrective  Eniforceinent  of  Socnrity  Policies 


151 


Proof.  The  i:)r()of  hris  been  omitted  ont  of  space  coiisideratioiis.  It  is  availabk' 
from  the  authors  upon  request.  □ 

It  would  b('  intuitive  to  instantiate  the  partial  order  C  to  Other  possibilities 
can  be  considered,  which  would  more  closely  follow  the  specific  i)roj)erty  being 
enforced. 

Theorem  7.  A  property  V  is  coiTectwely^  ^  enforceable  iff  it  is  in  renewal 
reasonable  and  computable. 

Pi  oof  Inunediate  from  theorem  G  and  theorem  3  of  [13].  □ 

As  discussed  in  [13],  this  set  includes  a  wide  range  of  j)roj)('rties,  inclndiiig  all 
safety  properties,  some  liveiiess  properties  such  as  the  “eventually  audits”  prop¬ 
erties  re(iiiiriiig  that  an  action  eventually  be  loggc'd,  and  properties  which  are 
neither  safety  nor  liveness  such  as  the  transactional  ])roperties  described  in  sec¬ 
tion  4.  lAirt  her  more,  if  the  behavior  of  the  target  system  is  known  to  consist 
only  of  finite  executions,  then  every  .se(iueiice  is  in  renewal. 

7  Nonuniforni  Enforcement 

In  this  se('tion,  w^e  investigate  the  possibility  of  extending  the  set  of  euforec'- 
able  properties  by  giving  the  monitor  .some  knowledge  of  the  target  program’s 
pos.sihlc  behavior.  This  question  w'as  first  raised  in  [16].  In  [1],  the  authors  dis¬ 
tinguish  betwe<'n  the  iiiiiform  context,  in  which  the  monitor  must  eon.sider  that 
every  sequence  in  can  occur  during  the  target  program's  execution,  from 
the  nonuniform  context,  in  which  the  set  of  possible  executions  is  a  subset  of 
17^  .  Tluw  further  show  that  in  some  case,  the  set  of  properties  enforceable  in  a 
nonuniforni  context  is  greater  than  that  which  is  enforceable  in  a  uniform  con¬ 
text.  Later  Chabot  et  al.  [7]  showed  that  while  this  result  did  not  aj)j)lv  to  all 
runtime  enforcement  paradigms,  it  did  apply  to  that  of  truneation-based  mon¬ 
itor.  Indeed,  they  show  that  in  this  monitoring  context,  a  monitor  op(Tating 
with  a  subset  of  is  always  more  j^owerfnl  than  one  which  considers  that 
ev(Ty  se(juenc('  can  be  output  l)y  its  target . 

Let  S  stand  for  the  set  of  sequences  wdiich  the  monitor  considers  as  possible 
('xecnitions  of  th('  target  program.  S  is  neees.sarily  an  over  approximation,  built 
from  static  analysis  of  the  target.  VVe  write  eorreetively£  enforceabh'.  or  just 
eiiforceabl('£,  to  denote*  the  .set  of  i)roperties  that  ar('  corrc'ctively^  euforeeable, 
wdien  only  secjuences  from  C  17^  are  i)ossible  executions  of  the  target  program. 
A  iHoperty  is  correctively^  enforceable  iff  for  every  sequence  in  S,  the  monitor 
can  return  a  valid  and  eciuivalent  seqiu'iice. 

Definition  4.  Let  A  be  an  edit  automaton  and  let  S  C  be  a,  subset  of 

e.reeutions.  A  couvctiveli^  enforces  the  property  V  ifJMa  ^  S 

t.  V{A{o)) 

2.  A{o)  ^  cr 


152  R.  Khoury  and  N.  Tawbi 


Theorem  8.  A  property  V  is  eorreetively^  enforceable  iff 

1.  V  is  Reasonable 

2.  BV'  C  P  :  “P'  G  renewal  :  (37  €  S  ^  V'  :  (Vo-  €  S  :  7(0)  =  a)  A  (Vo,  o'  €  5  ; 

^  a  ^  7(^0  —  7(^))  A  7  is  computable) 

Proof  The  proof  follows  exactly  cis  that  of  Theorem  1.  □ 

Lemma  9.  Let  S  C  and  V  be  a  reasonable  propcHy  V  is  trivially  corree- 
lively^  enforceable  iff  S  C  V.  If  this  is  the  ease,  the  monitor  can  enforce  the 
property  by  always  retuiiiing  the  input  sequence. 

We  assume  that  S  represent  an  upper  approximation  of  a  program  ex  en  it  ions 
set,  determined  by  static  analysis.  It  would  be  desirable  if  the  set  of  enforceable 
properties  increased  monotonously  each  time  a  sequence  was  removed  from  S. 
This  means  that  any  effort  made  to  perform  or  refine  a  static  analysis  of  the 
target  program  would  payoff  in  the  form  of  an  increase  in  the  set  of  enforceable 
properties.  This  is  unfortunately  not  the  case.  As  a  counterexample,  consider 
the  equivalence  relation  defined  as  Ver,  o-'  G  :  o-  =  a'.  It  is  obvious  that  any 
SfXtisfiable  property  can  be  trivially  enforced  in  this  context,  simply  by  always 
outputting  any  valid  sequence,  which  is  necessarily  equivalent  to  the  input.  No 
benefit  can  then  be  accrued  by  restricting  S. 

There  are,  of  course,  some  instances  where  constraining  the  set  S  does  result 
in  an  increase  in  the  set  of  correctively^  enforceable  properties.  This  occurs 
when  invalid  sequenc(‘s  with  no  valid  equivalent  are  removed  from  S.  Indeed,  for 
any  subsets,  of  E^  s.t.  S  d  S'  AS'\S  ^  {e},  there  exists  an  equivalence 
relation  =  for  which  enforceable^  C  enforceable  c£. 

Theorem  10.  Let  S  C  S'  d  E^  A  S'\S  ^  {e}.  There  exists  an  equivalence 
relation  =  s.t.  enforecable^  d  enforceable  c£. 

Proof.  Let  =  be  defined  s.t.  3a  G  S'\S  :  [a]  D  «S  ^  0.  Let  V  be  the  property 
defined  as  V{a)  {a  ^  S  A  a  ^  e).  This  property  is  not  enforceable^  .since 
there  exists  vSequences  in  ^S'  with  no  valid  equivalent.  The  property  is  trivially 
enforceable  c£.  □ 

A  final  question  of  relevance  on  the  topic  of  nominiform  enforcement  is  whether 
there  exists  some  e(|iiivalence  relations  =  for  which  every  reduction  of  the  size  of 
S  monotonously  increases  the  set  of  properties  that  are  correctively^  enforceable. 
In  other  words,  if  there  exists  some  =  for  which  S  d  S'  ■=>  enforceable^  C 
enforccablc£.  Anyone  operating  under  such  an  equivalence  relation  would  have 
an  added  incentive  to  invest  in  static  analysis  of  the  target,  as  he  or  she  w^ould 
be  guaranteed  an  increase  in  the  set  of  enforceable  properties.  Unfortunately,  it 
can  be  shown  that  this  result  holds  only  when  =  is  .syntactic  equality  and  at 
least  one  sequence  different  from  e  is  removed  from  the  set  of  pos.siblc  sequences. 

Theorem  11.  {a  ^  a  a  =  o')  ^  V5.  5'  C  :  [S  d  S'  A  S'\S  /  {e}  => 
enforeeable^  d  enforceable^) 


Using  Equivalence  Relations  for  Corrective  Enforcement  of  Security  Policies 


153 


Proof.  (=^  direction)  Let  V  be  defined  such  that  V[(t)  (a  ^  This  prop¬ 

erty  cannot  be  correctively^  enforceal^le  since  any  sequence'  in  S\S  does  not 
have  a  valid  equiv^dent.  Tlie  property  is  trivially  correctively£  enforceable. 

(<=  direction)  By  contradiction,  let  =  be  difTercnt  than  syntactic  equality.  This 
implies  the're  exists  rr, er'  C  5'  :  rr  =  cr'  A  rr  ^  rr'.  Further,  let  <S'  = 

S  =  {cr}.  We  show  that  any  property  that  is  correct! vely£  enforceable  is  also 
correct ively£  enforceable.  There  are  five  cases  to  consider,  : 

—  cr,  cr'  C  V:  In  this  case,  the  property  is  always  trivially  enforceable. 

—  G^VI\  o'  ^V'.  Such  a  property  would  be  both  correct  ively£  enforceable 
and  correctivoly£  enforcx'able  by  aiitoiiiatoii  A  for  which  A{t)  =  o  for  all  r 
ill  the  input  set. 

—  o'  G  V  Ao  ^  V  :  Such  a  property  would  be  both  correct ively£  enforci'able 
and  correct ively£  enforceable  by  automaton  A  for  which  A{t)  =  o'  for  all 
r  ill  the  input  set, 

~  o,  o'  ^  V  A  3o"  =  o  :  V{o")  :  Such  a  property  would  be  both  corre(dively£ 
enforceable  and  correct ively£  enforceable  by  autoniatoii  A  for  which  A{t)  — 
o"  for  all  T  in  the  input  set. 

—  o,  o'  ^  V  A  -'3r  =  o  :  V(t)  :  This  property  can  neither  be  coiTectively£ 
enforceable  nor  can  it  be  correctively£  enforceable  since  there  exi,sts  some 
,sequeuces  with  no  valid  ecpii valent. 

Finally,  observe  that  since  only  reasonable  sequences  are  enforceable,  no  possible 
gain  can  be  accrued  from  removing  only  f  from  the  set  of  possible  sequences.  □ 

8  Conclusion  and  Future  Work 

In  this  paper,  we  p)roposc  a  framework  to  analyze  the  security  properties  enforce- 
al)le  by  monitors  capable  of  transforming  their  input.  By  imposing  constraints 
on  the  enforcement  mechanism  to  the  effect  that  some  behaviors  existing  in  the 
input  sequence  must  still  be  present  in  the  output,  we  are  able  to  model  the  de¬ 
sired  behavior  of  real-life  monitors  in  a  more  realistic  and  effective  way.  We  also 
show  that  real  life  properties  are  enforceable  in  this  paradigm,  and  giv(^  [)refix 
('(luivalence  and  factor  ecpii valence  as  possible  examples  of  realistic  equivaUmce 
relations  which  could  be  used  in  a  monitoring  context.  The  set  of  properties 
enforceable  using  the,se  two  ecpiivalence  relations  is  related  to  i)rcvious  resnlts  in 
the  field. 

Future  work  will  focus  on  other  equivalence  rc'lations.  Two  meaiiingfnl  equiv¬ 
alence  relations  which  we  are  currently  studying  are  siibword  equivalence  and 
permutation  equivalence.  The  first  adequately  models  the  behavior  of  a  monitor 
that  is  allowed  to  insert  actions  into  the  prograiiFs  execution,  but  may  not  sub¬ 
tract  anything  from  it.  The  second  models  the  behavior  of  a  monitor  which  can 
reorder  the  actions  performed  by  its  target,  but  iiiay  not  add  or  remove  any  of 
them.  An  even  more  general  framework  that  could  be  envisioned  would  be  one 
in  which  the  behavior  that  the  monitor  must  preserve  is  stated  in  a  temporal 
logic. 


154 


R.  Klioury  and  N.  Tawbi 


References 

1.  Alpcni.  B.,  Schneider,  F.B.:  Recognizing  safety  and  liveness.  Distributed  Comput¬ 
ing  2,  17  12G  (1987) 

2.  Alperm  B.,  Schneider,  F.:  Defining  liveness.  Information  Processing  Letters  21(4), 
181  185  (1985) 

3.  Bauer,  A..  Leiicker,  M..  Schallhart,  C.:  Monitoring  of  real-time  properties.  In:  Arun- 
Kumar,  S.,  Garg,  N.  (eds.)  FSTTCS  2006.  LNCS,  vol.  4337,  pp.  260  272.  Springer, 
Heidelberg  (2006) 

4.  Bauer,  L.,  Ligatti,  J.,  Walker,  I).:  More  enforceable  security  policies.  In:  Proceed¬ 
ings  of  the  Foundations  of  Computer  Security  Workshop  (July  2002) 

5.  Biclova,  N.,  Massacci,  F.,  Michelet ti.  A.:  Towards  practical  enforcement  theories. 
In:  Kiiapskog,  S.J.  (ed.)  NordSec  2009.  LNCS,  vol.  5838.  pp.  239-254.  Springer, 
Heidelberg  (2009) 

6.  Chabot,  H.:  Securisation  de  code  basw  sur  la  cornbinaison  d ’analyse  statique  et 
dynainiqiie,  generation  de  moniteur  partir  d’un  automate  de  Rabin.  Master’s  thesis, 
Laval  University  (2008) 

7.  Chabot,  H.,  Khoury.  R.,  Tawbi,  N.:  Generating  in-line  monitors  for  Rabin  au¬ 
tomata.  In:  Josang,  A.,  Maseng,  T.,  Knapskog.  S.J.  (eds.)  NordSec  2009.  LNCS, 
vol.  5838,  p|).  287  301.  Springer,  Heidelberg  (2009) 

8.  Falcone.  Y.,  Fernandez.  J.C.,  Moimier,  L.:  Enforcement  monitoring  wrt.  the  safety- 
progress  classification  of  properties.  In:  Proceedings  of  the  ACM  Symposium  on 
Applied  Computing  (SAC),  pp.  593  600.  ACM  Press,  New  York  (March  2009) 

9.  Fong,  P.:  Access  control  by  tracking  shallow  execution  history.  In:  Proceedings  of 
the  2001  IEEE  Symposium  on  Security  and  Privacy  (May  2004) 

10.  Hanilen,  K.W.,  Morrisett,  G.,  Schneider,  F.B.:  Computability  classes  for  enforce¬ 
ment  mechanisms.  ACM  Trainsactions  on  Programming  Languages  and  Systems 
(TOPLAS)  28(1),  175  205  (2006) 

11.  Lamport,  L.:  Proving  the  correctness  of  miiltiprocess  programs.  IEEE  Transactions 
on  Software  Engineering  3(2),  125-143  (1977) 

12.  Ligatti,  J.,  Bauer,  L.,  Walker,  D.:  Edit  automata:  Enforcement  niechanisms  for 
nm-tinie  security  policie.  International  Journal  of  Information  Security  (2004) 

13.  Ligatti,  J.,  Bauer,  L.,  Walker,  D.:  Enforcing  non-safety  security  policies  with  pro¬ 
gram  monitors.  In:  di  Vimercati,  S.d.C.,  Syverson,  P.F.,  Golhnann,  D.  (eds.)  ES- 
ORICS  2005.  LNCS,  vol.  3679,  pp.  355  373.  Springer,  Heidelberg  (2005) 

14.  Ligatti.  J.,  Bauer,  L.,  Walker,  D.:  Run-time  enforcement  of  nonsafety  policies.  ACM 
Transactions  on  Information  and  System  St'curity  12(3),  1  41  (2009) 

15.  Ligatti,  J.,  Reddy,  S.:  A  theory  of  runtime  enforcement,  with  results.  Tech.  Rep. 
USF-CSE>SS- 102809,  University  of  South  Florida  (April  2010) 

16.  Schneider.  F.B.:  Enforceable  security  policies.  Information  and  System  Secu¬ 
rity  3(1),  30  50  (2000) 

17.  Syropoulos,  A.:  Mathematics  of  multisets.  In:  Calude,  C.S.,  Pun,  G.,  Rozeiiberg, 
G.,  Salomaa,  A.  (eds.)  Multiset  Processing.  LNCS,  vol.  2235,  pp.  347  358.  Springer, 
Heidelberg  (2001) 

18.  Talhi,  C.,  Tawbi,  N.,  Debbabi,  M.:  Execution  monitoring  enforcement  under 
memory-limitations  constraints.  Information  and  Computation  206(1),  158  184 
(2008) 


Model  Checking  of  Location  and  Mobility 
Related  Security  Policy  Specifications 
in  Ambient  Calculus 


Dovriiii  O/aii  Akar^.  and  M.  Ufuk  Caglayaii^ 

^  TURITAK  National  R('svar<h  Inst,  of  Electronics  and  Cryptology 
^  Bogaziri  University 


Abstract.  Verifiratioii  of  security  for  mobile  networks  n'tpiires  specifi¬ 
cation  and  verification  of  sc'ciirity  policies  in  niiiltipU^domaiii  cnviroii- 
inents.  Mobile?  users  present  challenges  for  Sfunufication  and  vei  ificatioii 
of  security  policies  in  such  ('nvironinents.  Formal  methods  are  expected 
to  ensure  that  the  construction  of  a  system  adluTcs  to  its  specification. 
Ibnnal  methods  for  sperification  and  verification  of  security  policies  en¬ 
sure  that  the  security  policy  is  consistent  and  satisfied  by  the  network 
elements  in  a  given  network  configuration.  We?  pre'senit  a  inetlie)d  and  a 
model  checking  tool  for  formal  specification  anel  verification  of  location 
and  mobility  related  security  policies  for  mobile?  iie'tw'orks.  The  formal 
languages  nseel  for  specification  are  Predicate*  Logic  and  Ambient  Calcu¬ 
lus.  The  presemted  toe)!  is  capable  of  spatial  model  checking  of  Ambient 
Calculus  specifications  for  scTurity  policy  rules  and  uses  the  NnSMV 
inoelel  checker  for  temporal  nujclel  checking. 

KeyworeJs:  model  checking,  ambient  calculus,  security  policy. 


1  Introduction 

Re\s()iir(v  sharing  and  provision  of  services  in  net  works  with  multiple  administra¬ 
tive'  eloiiiains  is  an  ever-increasing  iie^ed.  Roaming  is  another  concept  that  cronies 
into  consideration  when  dealing  with  multi-domain  resource  sharing  applita- 
tioiis  where  users  are  allowed  to  use  network  connectivity  of  mnltiple  domains. 
Roaming  means  that  users  are  able  to  (  oiiiiect  to  and  use  networks  of  multipk* 
administrative  domains.  Set  iirity  iiiaiiageiiieiit  in  such  an  environment  requires 
speeification  of  iiiter-domaiii  security  policies  and  cross-domain  administration 
of  security  iiieelianisms.  Authorization  mechanisms  determine  the  access  rights 
for  a  user  based  on  the  security  policy.  The  access  cc^iitrol  inechanisins  then  con¬ 
trol  the  user  access  to  the  resource  based  upon  these  detennined  access  rights. 
The  user  actions  should  he  verified  against  home  and  visited  domain  policies 
as  tlic'y  across  resources  on  visited  domains.  Formal  verification  can  be  used  to 
ensure  that  visiting  uscts  arc  not  bypassing  sc'curity  mechanisms  and  violating 
sc'cnrity  i)olicy  by  making  u.sc  of  the  internal  trust  rc'lationsliips. 

In  this  paper,  wc  propckse  a  method  and  a  model  checking  tool  for  formal 
spc'cificatioii  and  verification  of  miilti-doinaiii  sc'ciirity  policies  with  location  and 


I.  Kotenko  and  V.  Skorinin  (Eds.):  MMM-ACNS  2010.  LNCS  6258.  pp.  155-168,  2010. 
©  Springer- Verlag  Berlin  Floidolborg  2010 


156 


D.  Unal,  O.  Akar,  and  M.U.  Caglayaii 


mobility  constraints.  Appropriate  to  the  nature  of  multi-domain  mobile  net¬ 
works,  the  proposed  method  focuses  on  the  location  and  mobility  aspects  of 
security  policies.  The  formalisiii  of  the  method  is  based  on  prexlicate  logic,  am¬ 
bient  calculus  and  its  ambient  logic.  An  ambient  calculus  model  checker  capable 
of  spatial  and  temporal  model  checking  has  been  built  for  the  implementation  of 
proposed  method.  The  model  checker  presents  novel  coinputational  methods  for 
decreasing  the  time  and  space  complexity  of  spatial  model  checking.  The  model 
checking  approach  complements  our  previous  work  on  use  of  theorem  proving 
for  security  policies  [19|. 

2  Formal  Languages  and  Methods  for  Specification  and 
Verification  of  Policies 

Logic-based  security  policy  models  provide  a  general  framework  for  security  pol¬ 
icy  specification.  Becker  et  al.’s  SEC PAL  [1]  is  a  formal  security  policy  language 
for  Grid  environments.  The  Flexible  Authorization  Framework  (FAF)  is  a  logic 
programming  based  method  for  definition,  derivation  and  conflict  resolution  of 
authorization  policies  [14,13].  Another  study  based  on  logic  that  supports  ex¬ 
plicit  denials,  hierarchies,  policy  derivation  and  conflict  resolution  is  [2].  Ponder 
[9]  is  a  general  purpo.se  formal  security  policy  language.  Woo  and  Lain  [20|  define 
a  paraconsisteiit  formal  language  for  authorizations  based  on  logical  constructs. 
In  [8]  deontic  logic  is  used  for  modeling  the  concepts  of  permission,  obligation 
and  prohibition  with  organizational  constructs.  A  security  policy  language  based 
on  the  set-and-function  formalism  is  presented  in  [16]. 

Model  checking  and  theorem  proving  have  been  applied  for  verification  of  se¬ 
curity  policies.  Aepeg  [21]  is  a  tool  for  evaluating  and  generating  access  control 
policies  based  on  first-order  logic.  We  hav('  previously  applied  theorem  proving 
to  verification  of  security  policies.  In  [19]  we  use  Coq  for  checking  that  an  au¬ 
thorisation  security  policy  is  conflict-free,  initially  and  as  authorisation  rules  are 
added  and  removed,  while  [10]  uses  first  order  linear  temporal  logic  embedded 
within  Isabelle  to  formalise  and  verify  RBAC  authorisations  constraints.  A  more 
recent  study,  [18]  uses  nontemporal  and  history-based  authorization  constraints 
in  the  Object  Constraint  Language  (OCL)  and  first-order  linear  temporal  logic 
(LTL)  to  verify  role-based  access  control  policies  with  the  help  of  a  theorem 
prover. 

Ambient  Calculus  [4]  has  been  used  for  inodeling  and  reasoning  about  security 
in  mobile  systems.  Reasoning  about  spatial  configurations  for  application  level 
security  policies  in  ubiquitous  environinents  is  one  of  the  issues  investigated  in 
Scott’s  PhD  thesis  [17[.  In  this  study  a  simplified  version  of  ambient  calculus  and 
ambient  logic  is  used  in  policy  rules  of  a  security  policy.  BACIr  [7]  is  a  boxed 
ambient  calculus  with  RBAC  mechanisms  used  to  define  access  control  policies 
for  ambients.  Similarly,  in  our  approach,  the  Anibient  Calculus  and  Ambient 
Logics  [3|  are  utilized.  In  contrast  to  BACIr  which  places  policies  inside  Ambient 
Calculus  formulas,  we  use  Ambient  Calculus  for  specification  of  processes  and 
Ambient  Logics  for  specification  of  policies  and  complement  them  with  Predicate 


Modol  Cliorking  of  Security  Policy  SixTifications  in  Ambient  Calculus 


157 


Logic*  bciscd  relational  model.  In  contrast  to  Scott’s  approach,  network  levc'l 
policies  rather  than  ai)plication  level  policies  will  be  covered  and  locations  will 
denote  placement  in  domains  and  hosts.  Por  model  checking  of  ambient  calculus 
specific'at  ioii.s,  our  approach  is  similar  to  the  work  of  Mardare  et  al  |15|.  We 
use  a  modified  version  of  Mardare  algorithm  and  present  an  algorithm  based 
on  use  of  capability  tree's  that  reduces  complexity  of  state  space  generation  and 
matching  of  ambient  logic  formiihus  to  states.  In  the  works  of  Charatonik  et 
al.  |5.r)|  exhaustive*  search  is  offered  for  sc'archiiig  possible  decompositions  of 
procc.sscs  and  searc  hing  sub  lc:)catic:)iis  when  checking  spatial  modalities.  We  offer 
heuristic's  for  searching  possible  decompositions  of  prc:)cesses  and  searching  sub 
locations  to  rechic*e  the  search  space. 

3  A  Formal  Model  for  Security  Policies  for  Multi-domain 
Mobile  Networks  in  Ambient  Calculus 

3.1  Formal  Model  for  Security  Policy 

Accc.s.s  Control  Model:  The  accc'ss  control  model  is  spc'cafied  using  Predicate* 
Calculus  and  First  Order  Set  Thc'ory.  The*  ac(*ess  control  model  is  based  on  the 
RBAC  |11|  model.  Idie  Hierarchical  RBAC  model  extends  the  Core  RBAC  model 
with  role  hierarchies.  We  use  the  hierarchical  RBAC  model  that  suppc:)rts  rc:>le 
hierarchic's.  For  iiitroduetioii  of  location  and  mobility  constraints  iiitc:>  the  secu¬ 
rity  pc:>licy.  wo  extend  the  Hierarchical  RBAC  model  by  adding  Domains,  Hc:>sts, 
Objc'ct  Types,  Conditions  and  Location  Constraints.  The  concc'pt  of  sessions  are 
not  utilized  in  our  model. 

Constants: 

d, /n,  o, /,  c:  Number  of  domains,  hosts,  users,  roles,  objects  and  objec  t 
types,  respectively. 

-  Sets: 

•  D  =  {D\,  D2,  :  Domains  ,  If  —  {//i,//2 _ Iln}  •  Hosts 

•  IJ  =  {f/i,  f/2,  ...f/yn  }  :  Users  ,  i?  =  {i?i ,  i?2^ •  Roles 

•  O  =  {O, ,  O2, Of }  :  01)jects  ,  OT  =  {OT, ,  OT2,  ...OT„  }  :  Objc'ct  Type's 
~  Relations: 

HOD  :  H  X  D  :  Maps  hosts  to  domains.  HOD{fIi,  Da)  deiiotc'S  that  //,  is 
enrolled  to  Domain  Da. 

UOD  :  U  X  D:  Maps  users  to  domains.  UOD{lJ j.  Da)  denotes  that  Uj  is 
('iirolk^l  to  Domain  Da- 

GOT  :  O  — +  OT  :Fimctioii  that  spc'cifies  the*  type'  of  an  objec-t.  00T{0}^) 
givers  the  type  of  object  O^. 

UA  :  U  X  /?:  Relation  for  assignment  of  iist'rs  to  roles. 

PA  :  R  X  AO  X  SA:  Relation  for  associating  roles  with  permissions. 

AutkoTizat/ion  Tei'ins  and  Security  Policy 

An  Authorization  Term  is  of  the  form  at  (as,  ao,  fo,  co)  where  as^AS,  ao 
G  AO,  saG  S  X  AJo:  a  formula,  where  formula  is  an  ambient  logic  formula,  co: 
a  condition,  where  condition  is  a  predicate  logic  formula.  Sc'ciirity  policy  is  a  set 
of  authorization  te^rms. 


158 


D.  Unal,  O.  Akar,  and  M.U.  Caglayan 


—  Sets: 

AS:  A5  =  U  UR.  The  set  of  Authorization  Subjects.  Authorization  Subjects 
are  active  entities  that  may  conduct  an  Action  on  an  Authorization  Object. 
AO:  AO  =  O  UOT  \J  H  \JD.  The  set  of  Authorization  Objects.  The  autho¬ 
rization  object  is  the  entity  upon  which  an  action  is  conducted. 

A  :  Set  of  actions  conductable  by  subjects  on  objects.  We  take  A  to  be  fixed 
in  this  study: 

A  —fEiirolly  Logirif  Logout,  Execute,  Read,  Write,  Send,  Receive,  Delete, 
Create} 

Signs:  S  =  {  +  .— }  Represents  periiiissioii  or  denial. 

Signed  Actions:  S  x  A\  Represents  permission  or  denial  of  an  action  ( ^  .read) 
denotes  that  read  action  is  permitted. 

—  Predicates: 

•  EnrolledDomainHost  [host,  domain):  host  is  a  registered  nunnber  of  the 
Domain  domain 

•  EnrolledDomainUser  {user,  domain):  user  is  a  registered  nieniber  of 
domain 

•  Active! )omainUser  {user,  domain):  user  has  logged  into  a  domain 

•  Role  Allowed  {user,  role):  user  has  a.ssiimed  the  Role  of  7vle 

•  Action  Allowed  (as,  action):  Authorization  Subject  as  is  allow'cd  to 
execute  action  action 

—  Conditions:  First-order  sentences  built  on  the  Predicates  defined  above. 

—  Spatial  Formula:  Ambient  Logic  formula  that  includes  names  of  domains,  au¬ 
thorization  subjects  and  authorization  objects.  The  formula  will  be 
described  in  the  following  sections. 

3.2  Formal  Specification  of  Mobile  Processes 

Ambient  calculus,  proposed  by  Cardelli  and  Gordon,  is  a  process  calculus  which 
is  able  to  theorize  about  concurrent  systems  that  include  mobility  and  locations 
|4|.  The  proposed  methodology  uses  ambient  calculus  for  sj^ecifying  multi-domain 
mobile  network  configurations.  Fragment  of  ambient  calculus  used  in  this  paper 
is  shown  at  Table  1.  The  semantics  of  ainbicmt  calculus  is  based  on  structural 
congruence  relation. 

The  formal  model  for  niobility  is  a  finite  fragment  of  the  ambient  calculus  with 
public  name.s  as  usc'd  in  \G\.  In  the  formal  specification,  domains,  hosts,  users 
and  objects  are  modeled  as  Ambients.  Tlu^  actions  are  modeU'd  as  Ambient 
Calculus  capabilities.  A  process  specification  shows  a  trace  of  a  process  in  a 
certain  mobile  network  scenario.  Each  scenario  may  be  modeled  as  a  set  of 
process  specifications.  Th(\se  s])ecifications  will  then  be  checked  against  a  security 
policy  for  compliance.  The  process  specification  involves  capabilities,  objects  and 
ambients.  Resources  may  be  input  and  output  by  the  ambients.  The  ambients 
may  be  World,  Domains,  Hosts  and  Users.  Below  some  examples  of  object,  host 
and  UvSer  niobility  specification  of  mobility  as  ambient  calculus  processes  are 
listed.  Some  known  notation  conventions  are  utilized:  for  example  n||  means 
77|0|.  The  .symbol  — ►  represents  the  reduction  relation  and  — represents  a  series 
of  reductions. 


xModol  Cdiocking  of  Security  Policy  Si)ocificatioiiy  in  Ambient  Calculus 


151) 


Tabic  1.  Mobility  and  communication  primitives  of  Ambient  Calculus 


P.Q  :: 

processes 

M 

capabilities 

0 

inactivity 

.r 

variable 

/’IQ 

coinpo.sition 

71 

name 

A/[P1 

ambient 

if}  A I 

can  enter  M 

M.P 

capability 

out  M 

can  exit  M 

U-).P 

input 

open  M 

can  oj)en  M 

(A/) 

;usynchroiious 

f 

null 

01ltl)llt 

A/.A/ 

path 

-  Fif(  1  is  copied  to  Poriablci: 

\Vorl(l\DoinainA\Sm)crl\io\(\Qv  [out  folder,  out  SciTerL  in  Portabicl.  in 
folder.  FilflW  I  File!  (HI  |  [folder  11]|| 

HV;Wd|Z>^o7nami4|SV.nT7  /  [folder  |F7/e7||||  |  Poi  fable  1  |foldcr|F7/rZ  |||||| 

—  A  message  M  is  sent  from  User!  to  UserS: 

World  [DoinamA  \Sc7verl  [User!  |message|A/  |  out  Uscrl.  out.  ScrtTrl. 
out  DornainA.  in  DomainB,  in  Clic7it2.  in  C5e7’/Z.()|||)  |  Do7naniB  \Clie7vi2 
\UscrS  [open  message. (77i).0|||| 

World  I Do7}iai7iA \ Server  1  \  Uscrl  1 1 1|  |  Do77iam B \  Clie7i  12 \  UserS [ A/ j] jj 

We  also  provide  the  mapping  of  actions  in  the  security  policy  model  to  Ambient 
Calculus  specifications.  Thc'se  are  provided  as  a  template  and  leased  on  inference 
of  spet'ific  subject  and  object  names  from  t  he  high-level  specifications  of  se'cnrity 
policy,  the  mode*!  checking  tool  is  pre.sented  with  suitable  Ambient  Calculus 
specificat  ions. 

En7vll  =arf  7}(  wzA7ido7nai7i.z\\\do77iai7i^,  wlievvz  G  C  U  //.  dornai7t  E  D  ( I ) 

Logm  do7}tai7i[z[i7}lwsf]\h.ost[]],tch(  rrz  G  UJiosf  G  !Fdoinai7i  G  D  (2) 
Logo7ii  do7na7n.[liost[z[out host]]],  ivhercz  G  UJiost  G  U.domam  G  D  (5) 


3.3  Formalization  of  Location  and  Mobility  Related  Actions  in 
Authorization  Term 

The  spatial  formula  in  the  Authorization  Term  is  speedfied  using  the  Ambiemt 
Logie|3|.  lYagment  of  ambient  logic  used  in  this  paper  is  shown  in  Table  2.  Am¬ 
bient  logic  has  temporal  and  spatial  modalities  in  addition  to  propositional  logic 
elements.  Semantics  of  the  eomiectivcs  of  the  ambient  logic  are  given  through 
satisfaction  relations  defined  in  |3|.  The  definition  of  satisfaction  is  ba.sed  heavily 
on  the  structural  congruenee  relation.  The  satisfaction  relation  is  denoted  hy  \-^ 
symhol.  do  express  that  process  P  satisfies  the  formula  .c/,  P  \=  .0^  is  used.  The 


160 


D.  Unal,  O.  Akar,  and  M.U.  Caglayaii 


Table  2.  Syntax  of  ambient  logic 


7/  a  name  n 

T  true  ,9^  composition 

negation  n[j^]  location 
y  ^  disjunction  sometime  modality 

0  void  <>s^  somewhere  modality 


symbol  U  denotes  the  s(^t  of  processes,  ^  denotes  the  set  of  formulas,  d  denotes 
the  set  of  variables,  and  A  denotes  the  set  of  names. 

The  possibility  of  conflicts  arising  of  eonflieting  actions  are  resolved  using 
the  theorem  prover  as  presented  in  our  previous  work  in  [19]  before  presenting 
rules  to  the  model  checker.  Using  the  formalization  methodology  for  authoriza¬ 
tion  terms  and  spatial  formula  described  above,  some  example  security  policy 
dc'finitions  with  location  constraints,  which  can  he  specified  with  our  formal 
authorization  terms  arc  presented  below. 

1.  All  allowed  users  can  read  files  in  folder  Project _  Folder^  if  they  are  in  a 

location  that  contains  this  folder:  (as  ^  ao  Project _  Folder^  sa  +  rcad^ 

CO  Ac tioji Allowed  (as,  sa),  fo  o(a,sH  |  ao|])) 

2.  All  allowed  users  can  send  E-mail  betwecni  the  University  A  and  University  B 

domains:  (as  =  ao  —  E-mail,  sa  send,  co  =  AetionAllowed  {as, 

sa),  fo  “  UniversityA  [oa5|]|  |  University B  |oaa|||  \/  University B  |ou,s||]  | 
UnivcrsityA\oao\W) 

To  check  location  constraints  in  security  policy,  the  input  to  the  mod(d  checker 
tool  is  an  Ambient  Calculus  si)eeification  and  a  set  of  Ambient  Logic  formulas. 
An  example  scenario  specified  in  Ambient  Calculus  and  a  security  i)olicy  rule 
specified  in  Ambient  Logic  is  i)resented  below.  In  this  exanii)le  there  are  two 
domains,  Domain  1  and  Domain2,  where  User2  is  mobile  and  tries  to  read  data 
from  Filel  by  logging  into  Hostl.  Spatial  formula  in  the  policy  rule  states  that 
Host2  can  not  contain  Datal  and  Data2  at  the  same  time.  This  is  a  rule  that 
means  Doniain2  data  should  not  be  copied  to  Domain  1. 

~  Ambient  Calculus  Specification:  Domainl  [Userl\]  \  Hostl  \Filel  \Datal  \ 
in  User2.0  \  out  User2.0\\]]  \  Domain2  \Host2  \  Uscr2  [out  Host2X)  j  out  Do- 
main2.0  \  in  Domainl. \n  Ilostl.i)  j  out  Hostl. owt  Domainl. i) 

I  in  Domain2.\\\  Hosi2.Q  in  Fx/ei.O  |  in  F?7e;^.0  |  out  Fx/ci.O  |  out  File2.Q\ 

I  Fz/c>2|Z>a^a;^||||| 

-  Ambient  Logic  Si)eeification:  □  {  o  {  o  Host2\  o  {Datal\Y\  \  Data2\T\]\ 
IT} 

4  Model  Checking  of  Security  Policy  Specifications  in 
Ambient  Calculus  Model  Checker 

The  general  structure  of  the  Ambient  Calculus  model  checker  is  given  in  Figure  1. 
To  benefit  from  existing  methodologies  we  divide  our  problem  into  two  sub 


Model  Checking  of  Security  Policy  Specifications  in  Ambient  Calculus 


1()1 


problems  as  temporal  model  eheckiiig  and  spatial  model  checking.  The  temporal 
model  clieeker  is  used  for  earrying  out  satisfaetion  process  for  th(»  Sometime  and 
Every  time  eoniieetives  of  ambient  logie.  The  proposed  model  eheeking  method 
generates  all  po.ssible  future  states  and  build  a  stat(‘  transition  system  based  on 
the  Ambient  Caleulus  process  speeification.  After  evaluation  of  Ambient  Logic 
formula  in  each  state,  this  state  transition  system  is  processed  into  a  Kripke 
Structure  (Definition  4)  which  is  then  given  to  temporal  model  checker.  NuSMV'^ 
|12|  is  used  a.s  a  temporal  model  checker.  Outline  of  the  proposed  algorithm  for 
the  model  checking  problem  is  below. 

1.  Define  atomie  propositions  with  respect  to  spatial  properties  of  ambiemt  logic 
formula  and  register  the  (atomic  proposition-spatial  modality)  couples. 

2.  Reduce  ambient  logic  formula  to  temporal  logic  formula  (CTL)  by  rejilacing 
spatial  modalities  with  atomie  propositions. 

3.  Generate  .state  transition  system  of  the  ambient  calculus  specification  with 
respect  to  reduction  relations.  This  involvc's  generation  of  initial  state  from 
given  ambient  caleulus  spc'cification,  generation  of  new  states  by  aj^plying 
available*  capabilitic's  with  respect  to  ambient  calculus  rc'duction  relations  and 
addition  of  new  staters  to  state  transition  system  with  transition  relation. 

4.  Generate  Kripke  Structure  from  state  transition  system.  This  st(*p  involves 
the*  assignmc'nt  of  the  values  of  the  atomic  propositions  for  each  state  of 
state  transition  systc'in  (labeling)  by  applying  model  checking  for  spatial 
modalities  on  ambient  topology  of  the  related  state  and  the  addition  of  a  new 
state  with  its  label  (values  of  atomic  propositions)  to  the  Kripke  Structure. 

T).  Gcmerate  NnSMV  code  from  Kripke*  Structure  and  CTL  Formula. 

4.1  Ambient  Topology  and  Spatial  Formula  Graphs 

In  |15|,  .state  information  is  represented  with  sets.  In  [G],  calculus  and  logic  infor¬ 
mation  is  rejnesented  as  strings  and  algorithms  are  based  on  string  operations. 
In  the  method  propo.scd,  ambient  calc  ulus  spc*cifications  and  logic  foriniihLS  are 
r(*presc*nted  as  graphs.  State  information  associated  with  a  process  spc'cific'd  in 
ambient  calculus  coii.sists  of  static  and  dynamie  propc'i  tic^s.  Static  propel  tie's 
of  state  are  the  ambients  and  tlicur  hierarchical  organization,  i.e.  the  ‘'ambient 
topology’*.  The  dynamic  properties  of  the  state  are  the  c'apabilitic's  and  their  dc*- 
pendc'iic-ic's  on  each  other.  Static*  and  dynamic  [)rop<*rtics  of  an  ambient  calcidns 
si^eeification  are  kept  in  separate  data  structures. 

Definition  1.  Ambient  Topology,  Gat  =  (^^/irMar)?  acyclic  digraph 

where  elements  of  set  of  nodes  e  G  Nat  denotes  ambients  ivithin  the  ambient 
ealcnlus  specification  (elements  of  A)  and  arcs  a  E:  A  at-  {-^y  \  ^  Nat} 

denotes  parent-child  relation  among  ambients.  The  indegive  of  nodes  dcg'~{v) 

1  for  any  node  (vertex)  v  whereas  the  oxitdegree  of  nodes  deg'^  (  v)  G  N. 

The  following  defines  capability  trees  which  is  a  novel  data  structure  nsc'd  in  our 
algorithm. 


162 


D.  Unal,  O.  Akar,  and  M.U.  Caglayan 


Proposed  Mode!  Checking  Methodology 


IX 

Ambient 

Calculus 

Specification 

TX 

Ambieni 

Logic 

Formula 


Temporal 

Model 

Lliecker 


Positive  Results 
or 

Negative  Results 
with  Counter 
Examples 


Fig.  1.  Block  diagram  of  the  Ambient  Calculus  Model  Checker 


Definition  2.  Capability  Tree,  Gct  =  acyclic  digraph  where 

set  of  nodes  v  G  Nct  denotes  capabilities  and  arcs  a  G  Actj  «  =  |  y  C 

^CT }  denotes  priority  relation  among  capabilities.  Nodes  contain  the  infoimia- 
tion  about  which  ambient  the  capability  is  attached  and  which  ambient  the  capa¬ 
bility  effects.  dcg~(v)  1  for  any  node  v,  whereas  deg^{v)  G  N. 

Graphs  representing  formulas  are  more  complex  than  the  others.  They  are  acyclic 
digraphs  where  nodes  denote  connectives  and  locations  whereas  arcs  denote  the 
operator-operand  relation.  There  are  multiple  types  of  nodes  and  arcs  in  formula 
graphs  because  of  the  different  structure  of  the  ambient  logic  eoiniectives. 

Definition  3.  An  ambient  logic  formula,  G/r  =  {Nf',Ay),  is  an  acyclic  digraph 
where 

-  The  set  of  nodes:  TVp  -  {Ni  U  Nsinary  U  Nunary  u  Npc).  Nl  is  the  set 
of  nodes  representing  ambients.  Elements  of  Ni,  are  labeled  with  elements 
of  A.  Nijnary  the  sct  of  iiodes  representing  unary  connectives  (-i,  o,  0)  at 
formulas.  N Binary  lii  tlic  sot  of  iiocles  representing  binary  conneetives,  (V) 
at  formulas.  Npc  is  the  set  of  nodes  representing  parallel  compositions  at 
formulas. 

“  The  set  of  arcs:  Ap  (Apc  ^  A  Binary  U  -<4t/7iary),  where  elements  of  Apc 
represents  parallel  compositions,  A  Binary  represents  binary  eoiniectives  and 
Aunary  represent s  unary  connectives  of  ambient  logic  formulas. 
npc  C  ApQ  X,  y|x  G  Np(j,  y  G  U  Npmary  hJ  A^t/nary)? 

C  Apfid-py  =  I  ^  ^  {Np  U  Nijnary)^y  C  Np(^)  ,  fib  C  Apinary  ^ 

{X,y\x  G  Npinary^  2/  ^  ^ Pc) 


Model  Cli<*ckiiig  of  Security  Policy  Specifications  in  Ambient  Calculus 


\m 

-  for  r  €  Nr.  (i('(;~{c)  —  1.  for  c  €  Npc.  €  N,  for  r  G 

V  6  A'/.,  dcy'^ii')  =1,  for  i>  €  Nsinary,  deg+{v)  =2. 

—  F]lcni(nits  of  Np(-  can  have  a  special  attribute  to  represent  the  T  construct  of 
the  logic.  If  T  attribute  of  a  Npc  node  is  set  to  true  this  means  the  parallel 
composition  of  process  that  the  Npc  node  stands  for,  iiichuh's  the  constant 
T. 

4.2  State  Transition  System  Generation 

In  the  proposed  model  checking  nietliodology  the  state  transition  system  is  gen¬ 
erated  from  the  initial  model  specification  by  executing  capabilities  in  tlu'  ambi¬ 
ent  (alcuhis  specification.  Since  replication  is  excluded  from  specifications,  the 
state  transition  system  can  be  represented  by  an  acyclic  digraph  where  nodes 
r('pre,seiit  states  and  edges  represent  the  execution  of  a  cai)ability.  For  selection 
of  the  next  capability  to  execute,  some  condition  clu'cks  are  carried  out.  The.se 
conditions  are  the  location  of  the  object  ambient  and  the  availability  of  the 
subject  ainbieiit,  A  capability  can  not  be  executed  if  the  location  of  the  object 
ambient  for  the  capability  is  not  the  current  location,  if  it  is  prefixed  by  another 
capability  i)ath.  or  the  parent  ambient  of  the  subject  ambient  is  inefixed  by  a 
capability  i)ath.  In  the  proposc'd  method  these  conditions  are  (becked  each  time 
a  capability  is  to  be  exc'cnted. 

In  this  work  a  new  dat^i  structure  is  offered  to  represx'iit  temporal  behaviors. 
Th('  irse  of  this  data  structure  named  '‘capability  trees”  eliminatc^s  the  lu'ed  to 
clu'ck  the  availability  of  a  subjec  t  ambient.  Capability  paths  art'  organi/od  as  an 
acyclic  digraph  that  r(*present  the  interdept'iuh'iicies  of  cai)abilities.  Capability 
tr(*(\s  are  built  at  parsing  stage  so  no  pre-processing  is  lUH'dt'd.  The  selection  of 
the  next  capability  to  execute  starts  from  the  root  of  this  graph.  This  method 
guarant(H's  (hat  the  capabilities  of  the  parent  proces.ses  are  executed  before  the 
capabilitk'S  of  child  processes. 

4.3  Checking  Spatial  Modalities 

The  l)iisi(‘  eh'inent  for  building  an  ambient  calculus  model  chc'cker  for  ambi¬ 
ent  logic  is  t(^  express  and  implement  the  satisfaction  relation.  In  the  proposed 
method,  all  the  generatc'd  states  generated  must  be  ('hc'cked  against  the  spatial 
formulas.  Ambient  logic  forniulas  are  decoinjxxsed  into  a  CTL  formula  and  a  set 
of  spatial  forniulas  by  formula  reduction.  The  ambient  topology  and  the  spa¬ 
tial  formula  graphs  are  inputs  to  the  spatial  model  checker.  The  spatial  niod('l 
ch('cking  tak(‘S  place  before  generation  of  Kripke  Structure's. 

Matching  of  an  ainbh'iit  topology  and  a  sj)atial  forniula  is  a  rc'cnrsive  jirocc'- 
dnre  in  which  ambient  toj^ology  nodes  are  assigned  to  forniula  nodes.  Matching 
process  starts  with  assigning  the  ambient  topology’s  root  to  the  root  of  the 
spatial  forniula  graj)!!.  Sj)atial  formula  nodes  can  forward  the  assigiu'd  ambi¬ 
ent  topology  node  to  its  children  partially  or  (ompletely  in  a  recursive  manner. 
Match  jnocess  is  succc'ssful  when  all  nodes  at  ambient  topology  is  matched  to  a 
spatial  formula  node.  Match  j)rocesses  at  diflferent  type  of  spatial  formula  nodes 


164  D.  Unal,  O.  Akar^  and  M.U.  Caglayan 


arc  different.  Different  match  processes  are  introduced  after  auxiliary  heuristic 
functions  which  are  explained  below. 

Heuristic  Functions.  Heuristic  functions  are  used  at  matching  the  Parallel 
composition  (|)  and  Somewhere  (o)  connectives.  Former  works  try  to  match  ev¬ 
ery  alternative  while  searching  a  match  for  these  connectives.  In  our  proposed 
method,  the  number  of  these  trials  are  reduced  by  the  help  of  auxiliary  heuristic 
functions.  Some  connectives  of  ambient  logic  called  wildcard  connectives  match 
different  kinds  of  ambient  topology.  These  connectives  are  used  for  matching  am¬ 
bients  of  ambient  topology  which  are  not  expressed  in  formulas.  The  constant  T 
of  the  logic  matches  any  ambient  topology  assigned  to  it.  Negation  connective  of 
the  logic  can  be  seen  as  another  kind  of  wildcard  connective.  Negations  matches 
any  ambient  topology  unless  the  sub  formula  of  the  negation  matches  this  am¬ 
bient  topology.  Another  source  of  wildcard  property  is  Somewhere  connectives. 
The  parallel  process  of  the  parent  ambient  are  neglected  when  searching  sublo¬ 
cations.  So  if  the  sublocation  search  is  obtained  by  applying  [  one  or  more  times, 
the  as.sociated  Somewhere  connective  gains  a  wildcard  property.  Function  wild¬ 
card  is  a  recursive  function  used  for  determining  if  a  node  of  formula  graphs  has 
wildcard  property. 

It  is  not  obvious  to  see  which  ambients  are  expected  at  sub  formulas  of  Dis¬ 
junction  and  Somewhere  connectives,  guess  Expected  Ambients  function  is  a  re¬ 
cursive  function  which  returns  a  set  of  expected  ambient  (oinbiiiations  for  a 
formula  graph  node.  The  returned  set  includes  all  possible  ambient  combina¬ 
tions  expected  by  children  of  that  node.  The  returned  value  is  a  set  instead  of 
a  single  ambient  combination.  Function  findSublocation  is  a  recursive  function 
used  to  find  parent  of  an  ambient  at  an  ambient  topology. 

Matching  of  Spatial  Formula.  In  a  match  between  an  ambient  topology  and 
spatial  formula  graph,  all  nodes  of  ambient  topology  must  be  matched  with  a 
node  of  spatial  formula  graph.  Some  nodes  of  spatial  formula  graphs  can  forward 
the  ambient  topology  nodes  assigned  to  them  to  their  children,  while  others 
match  assigned  ambient  topology  nodes  directly.  The  proposed  spatial  model 
checking  algorithm  tries  alternative  assignments  of  a  given  ambient  topology 
nodes  over  a  given  spatial  formula  graph.  The  proposed  spatial  model  checking 
algorithm  is  recursive  where  matching  process  starts  from  the  roots  of  a  graph 
and  continues  to  underlying  levels.  If  a  suitable  matching  found  at  the  upper 
level  then  matching  process  continues  to  find  matches  in  lower  levels.  The  match 
process  is  regulated  by  the  semantics  of  spatial  formula  graph  nodes. 


4.4  Generation  of  Kripke  Structure 

A  Kripke  Structure  is  a  state  transition  system  where  states  are  labeled  by  the 
set  of  atomic  propositions  which  hold  in  that  state.  Atomic  propositions  can  be 
considered  as  the  marking  of  system  properties. 

Definition  4.  Let  AP  be  a  non-empty  set  of  atomic  propositions.  A  Kiipke 
Structure  is  a  four-tuple;  M  (S,  SO^  L)  where  S  is  a  finite  set  of  states,  SO 


Model  Checking  of  Socurity  Policy  Sj^ecificatioiis  in  Aiiibieiit  Calculus 


165 


C  S  la  the  set  of  initial  states,  R  C.  Sx  S  is  a  transition  relation,  and  L:  S 
is  a  function  that  labels  each  state  with  the  set  of  atomic  propositions  that 
are  tnie  in  this  state. 

The  state  transition  data  structure  provides  sets  S,  SO  and  relation  R  of  a 
Kripke  Structure.  The  elements  of  the  set  of  atomic  propositions  come  from  for¬ 
mula  reduction.  In  forniula  reduction,  spatial  fonnulas  are  replaced  with  atomic 
propositions.  The  function  L  is  generated  by  applying  spatial  model  checking 
for  each  state  in  state  transition  data  structure  against  each  spatial  formula. 
Krij)ke  Structure  is  obtained  by  attaching  the  values,  coming  from  spatial  model 
checking,  into  the  state  transition  system  graph. 

4.5  NuSMV  Code  Generation 

The  model  checking  mechanism  explained  above  provides  CTL  formulas  and 
a  Kripke  Structure.  The  next  step  is  the  geiuTatioii  of  NuSMV  code  which  is 
semantically  equivalent  to  the  Kripke  Structure  and  temporal  logic  formula.  In 
the  NuSMV  specification  a  variable  state  is  used  for  specifying  states  in  the 
Kripke  Structure.  The  other  kind  of  variables  used  in  NuSMV  code  generation 
is  boolean  variables  for  representing  atomic  pro{)ositioiis.  CTL  formulas  {)rovi(led 
by  the  formula  reduction  step  are  then  converted  to  NnSMV  code  according  to 
CTL  formula  graph  provided  by  formula  reduction,  where  the  Sometime  (0) 
connective  is  repre.sented  jus  EF  jvnd  Everytirne  (□)  connective  is  represented  jus 
AG.  The  atomic  propositions  are  reflected  into  strings  with  their  names. 

4.6  Example  for  Spatial  Model  Checking  Algorithm 

Let’s  coiusider  the  scenario  and  policy  example  presented  in  S(‘ction  3  3.  When 
the  Ambient  Calculu.s  specification  is  input  to  the  model  checker,  a  total  of  53 
states  are  generat(‘d.  One  Atomic  Proposition  (AF^)  is  generated,  where 

AP  -  0{oHost2[0  {Datal[T]\Data2[T]}]\T}  (4) 

A  part  of  the  execution  of  the  algorithm  i.s  presented  iii  Table  3.  Only  the  initial 
and  the  Ijist  two  states  are  shown.  For  each  state  an  action  is  executed  to  produce 
a  new  spatifil  state,  bbr  state  53  the  spatial  model  checking  algorithm  matches 
tli(‘  .spatial  formula  AP  to  the  ( iirrent  state  of  World. 

Table  3.  Pjirt,  of  output  gonorat<Hl  by  the  s])atial  iiiodt'l  checker  for  the  example  policy 
presell tc'd  in  .'L3 


State 

Spatial  state  of  World 

AP 

Action 

0 

DoniaiiillUserl  |]|Ho.st  l|Fil(d  |Datal||]||| 

Doinaii  1 2 1 H  ost  2  [  U.ser2 1 1 1 F  i  le2  [  D  at  a2 1 1 1 1 1 

F 

User2|out  Host2| 

52 

Domainl  |Userl  [Host  1  |Filol|]|||  Doinain2  |Host2  |File2 
|Usor2|l|Dat.a2  |l|Datal  |||| 

F 

User2[oiit  File2| 

53 

Domainl  |Ust‘rl  |Hosll  |Filpl|||||  Doniain2  |Host2  |File2 
|Data2  |||Dat.al  [|||User2||| 

T 

■ 

16C  D.  Unal,  O.  Akar,  and  M.U.  Caglayan 


4.7  Complexity  and  Performance  Analysis 

Time  Complexity.  Time  complexity  of  generation  state's  transition  system  is 
dependent  on  the  number  of  capabilities.  The  execution  of  a  capability  causes 
a  future  state.  In  the  worst  case,  all  capabilities  are  independent.  Independence 
of  capabilities  means  that  capabilities  are  in  sequence  or  they  operate  on  dif¬ 
ferent  ambients.  Where  n  is  the  number  of  capabilities  in  the  ambient  calculus 
specification,  the  time  complexity  of  generating  state  traiisitioii  system  in  worst 
case  is 


The  time  coin[)lexity  of  checking  spatial  modalities  are  dependent  to  the  type 
and  number  of  the  connectives  of  the  sjjatial  formulas.  The  overall  time  cost  of 
the  match  process  for  Somewhere  connective  is  linear  with  the  cost  of  match 
process  of  parallel  composition  for  specifications  with  Soniewlu're  connectives. 
However,  the  time  complexity  of  the  match  process  is  exponential  with  the  num¬ 
ber  of  ambients  as  defined  in  Formula  6  where  a„c  is  the  nuiuber  of  topmost 
ambients  of  the  ambient  tO[)ology  which  arc  not  expected  by  the  heuristic  func¬ 
tions,  is  the  number  of  disjunctions  which  have  wildcard  property  in  the 
parallel  composition,  not  is  the  number  of  negations  in  the  parallel  composition, 
sw^,  is  th(’  iiuiiilx'r  of  Somewhere  connectives  which  have  wildcard  i)roperty  in 
the  i)arallel  composition: 


0(47'"+"“'+''’"))  (6) 

In  contrast,  when  the  brute  force  search  is  u.scd  for  decomposing  ambient  calculus 
specifications,  the  time  coiiiidexity  is  calculated  as  defined  in  Formula  7  where 
a  =  One  -k  o.e  is  the  total  number  of  topmost  ambients  in  the  ambient  topology, 
including  those  expected  by  the  heuristic  functions  (ttc),  I  is  the  number  of 
location  in  the  i)arallel  composition,  sw  is  the  number  of  Somewhere  connectives 
which  have  not  wildcard  property  in  a  parallel  composition,  d  is  the  number  of 
disjunctions  which  have  not  wildcard  property  in  the  parallel  composition: 


0{{a) 


(7) 


As  presented  above,  the  variables  that  effect  the  exponential  complexity  of  the 
match  process  is  significantly  reduced  by  the  proi)o.sed  algorithm. 


4.8  Space  Complexity 

Proposed  algorithm  builds  a  state  transition  system  in  a  depth-first  manner.  The 
depth  of  the  state'  transition  system  is*  at  most  eejual  to  the  number  of  capabilities. 
Therefore,  the  space  complexity  of  the  space  generation  is  0{n)  whore  n  is  the 
number  of  capabilities.  When  checking  spatial  modalities,  the  space  needed  is 
equal  to  the  size  of  the  formula  which  is  dependent  on  the  number  of  connectives 
of  the  formula.  Therefore,  the  s])ace  (‘omplexity  of  checking  spatial  modalities  is 
0(c),  where  c  is  the  number  of  the  connectives  at  formula. 


Model  Cliecking  of  S(*ciiri(y  Policy  Specifications  in  Ambient  Calculus 


Hi? 


4.9  Performance 

Due  to  space  limitations,  the  details  of  perforiiiaiiee  tests  will  not  he  presented. 
As  a  sumiiiary,  our  perfoniiaiice  tests  suggest  that  the  state  transition  system 
g(*iieratioii  cost  outweighs  the  si)atial  model  check  for  both  time  and  space  con- 
sum  j)tioii.  As  an  example  to  |)erformaiiee  results,  a  specification  with  IG  ambients 
and  37  capabilitn.'s  generates  nearly  030,000  states  with  iiKunory  consuin])! ion 
under  8  MB  and  a  time  of  under  300  .seconds.  The  |)erformance  test  has  b(vn 
run  on  an  Intel  C5  server  with  2.93  GHz  CPU  and  10  GB  inemory. 

5  Future  Work  and  Conclusions 

W(*  j)resented  a  method  and  tool  for  tlu*  sj)ecificatioii  and  verification  of  security 
l)olicies  of  multi-domain  mobik'  netw'orks.  The  main  focus  of  this  method  is 
location  and  mobility  aspects  of  security  i)oli(‘ies.  The  Inisic  eleiiu'iits  of  this 
method  are  predicate  logic,  ambient  (alcuhis  and  ambient  logic.  In  this  paper. 
mod(d  cheeking  techniques  are  applied  for  wrification  of  security  |)olicies  and  an 
ambient  cah  ulus  model  checker  is  presented. 

The  siz('  of  the  state  transition  system  is  the  most  significant  eleiiieiit  at  time 
and  s[)atial  cost  of  model  checking.  Number  of  states  growls  exponentially  as  ca- 
j)ability  niiiiiber  increase  linearly.  A  partial  order  reduction  might  decrease  the 
imniber  of  the  states  of  the  stat('  transition  system  and  lediice  time  consuinp- 
tion  and  size  of  generated  NiiSMV  code.  Iiuestigatiiig  partial  order  nHluction 
te(dinujues  for  ambient  calculus  is  a  directi(^n  for  our  future  work. 

In  our  ongoing  research  we  are  d(‘velo|:)ing  tools  for  automatic  extraction  of 
formal  ju'oeess  calculus  s])ecifications  and  logic  formulas  from  secairity  policy.In 
order  to  extract  the  Ambient  Logic  foi  inula  and  sp(*cifi(‘ation  from  scMUirity  pol¬ 
icy,  we  are  biiihiing  a  tool  called  “Formal  Si)ecificatioii  Generator’'.  The  tool  will 
b(‘  based  on  analysis  of  .scenarios  d('])i(‘ting  seciuences  of  actions  of  system  t*!- 
ciiKuits.  These  high-level  actions  are  more  suitable^  for  our  jjroblem  domain  in 
contrast  to  Ambient  Calculus  i)riinitives.  Therefoic'  our  aim  is  to  provide  an  au¬ 
tomated  means  to  translate  high  level  |)olicy  and  actions  to  formal  (‘aleuhis  and 
logic  spcM'ifications. 


References 

1.  Beckca*,  M.,  Fournet,  C.,  Gordon,  A.:  Design  and  semantics  of  a  deccrntralized  aii- 
thorizatioii  language.  In;  20th  Ihdvk]  C’oinputer  Security  Foundations  Sympo.sinni. 
pp.  3  15.  IEEE  Computer  Society  Press  Los  Alamitos  (2007) 

2.  Bertino,  E.,  Ferrari,  E.,  Bnccafurri,  F.:  A  logical  framework  for  reasoning  on  data 
acce.s.s  control  policies.  In:  12th  IEEE  Computer  beenrity  Foundations  Workshop, 
pp.  175  189.  IEEE  Computer  Society  Press,  Los  Alamitos  (1999) 

3.  Cank'lli,  L.,  Gordon,  A.D.:  Anytime,  anywlK'n*:  modal  logics  for  mobile  anibk’uts. 
In:  27th  ACM  SIGPLAN-SIGACT  Symposium  on  Principles  of  Programming  Lan¬ 
guages  -  POPL  2000,  pp.  3()5  377  (2000) 


168 


D.  Unal,  O.  Akar,  and  M.U.  Cjiglayan 


4.  Cardelli,  L.,  Gordon,  A.D.:  Mobile  ambients.  Theoretical  Computer  Science  240(1), 
177-213  (2000) 

5.  Charatonik,  W.,  Gordon,  A.,  Talbot,  J.:  Finite-control  mobile  ambients.  In:  Le 
Metayer,  D.  (cd.)  ESOP  2002.  LNCS,  vol.  2305,  pp.  205  313.  Springer,  Heidelberg 
(2002) 

6.  Charatonik,  W.,  Zilio,  S.D.,  Gordon,  A.D.,  Mnkhopadhyay,  S.,  Talbot,  J.:  Model 
checking  mobile  ambients.  Theoretical  Computer  Science  308(1-3),  277  331  (2003) 

7.  Coinpagnoni,  A.,  Bidinger,  P.:  Role-based  acces.s  control  for  boxed  ambients.  The¬ 
oretical  Computer  Science  398(1-3),  203  216  (2008) 

8.  Cuppens,  F.,  Saurel,  C.:  Specifying  a  security  policy:  a  case  study.  In:  9th  IEEE 
Computer  Security  Ponndatioiis  Work.shop,  pj).  123  134.  lEEPl  Computer  Society 
Press,  Los  Alainitos  (1996) 

9.  Damianou,  N.,  Dnlay,  N.,  Lupu,  E.,  Sloman,  M.:  The  Ponder  policy  specifica¬ 
tion  language.  In:  Sloman,  M.,  Lobo,  J.,  Lupu,  E.C.  (eds.)  POLICY  2001.  LNCS, 
vol.  1995,  pp.  18  38.  Springer,  Heidelberg  (2001) 

10.  Drouineaud,  M.,  Bortin,  M.,  Torrini,  P.,  Sohr,  K.:  A  first  step  towards  formal 
verification  of  security  policy  properties  for  RBAC.  In:  Proc.  QSIC  (2004) 

11.  Ferraiolo,  D.F.,  Sandhu,  R.,  Gavrila,  S.,  Kuhn,  D.R.,  Chandramouli,  R.:  Proposed 
NIST  standard  for  role- based  access  control.  ACM  Trans,  liif.  Syst.  Scenr.  4(3), 
224  274  (2001) 

12.  Giunchiglia,  C.C.,  Cimatti,  A.,  Clarke,  E.,  Giunchiglia,  F.,  Roveri,  M.:  Nusmv:  a 
new  symbolic  model  checker.  International  .Journal  on  Software  Tools  for  Technol¬ 
ogy  Transfer  4,  410  425  (2000) 

13.  Jajodia,  S.,  Samarati,  P.,  Subrahmanian,  V.S.:  A  logical  language  for  expressing 
authorizations.  In:  IEEE  Symposium  on  Security  and  Privacy,  pp.  31  42  (1997) 

14.  Jajodia,  S.,  Samarati,  P.,  Sapino,  M.L.,  Subrahmanian,  V.S.:  Flexible  support  for 
multiple  access  control  policies.  ACM  Trans.  Database  Syst.  26(2),  214  260  (2001) 

15.  Mardare,  R.,  Priami,  C.,  Quaglia,  P.,  Vagin,  O.:  Model  checking  biological  systems 
described  using  ambient  calculus.  Computational  Methods  in  Systems  Biology,  85 
103  (2005) 

16.  Ryutov,  T.,  Neuman,  C.:  Representation  and  evaluation  of  security  policies  for 
distributed  system  services.  In:  DARPA  Information  Survivability  Conference  and 
Exposition,  pp.  172  183  (2000) 

17.  Scott,  D.:  Abstracting  application-level  security  policy  for  ubiquitous  computing. 
Ph.D.  thesis,  University  of  Cambridge  (2005) 

18.  Sohr,  K.,  Drouineaud,  M.,  Aim,  G.,  Gogolla,  M.:  Analyzing  and  managing  Role- 
Based  access  control  policies.  IEEE  Transactions  on  Knowledge  and  Data  Engi¬ 
neering  20(7),  924-939  (2008) 

19.  Unal,  D.,  Caglayaii,  M.U.:  Theorem  proving  for  modeling  and  conflict  checking  of 
authorization  policies.  In:  Proc.  ISCN  (2006) 

20.  Woo,  T.Y.C.,  Lam,  S.S.:  Authorizations  in  distributed  sy.stcms:  A  new  approach. 
Journal  of  Computer  Security  2,  107-136  (1993) 

21.  Zhang,  N.,  Giielcv,  D.,  Ryan,  M.:  Synthesising  verified  access  control  systems 
through  model  checking.  Journal  of  Computer  Security  16(1),  1-61  (2007) 


Credentials  Management  for  High-Value 
Transactions 


Glenn  Benson^  Shiii-Kai  Cliiii^,  Sean  Croston^ 
Karthiek  .layaraiuaii'^,  and  Susan  Okler^ 

^  JP  Morgan  Clicise 

{gleim . benson , sean . b . croston}® jpmchase . com 
^  BEGS  Department ,  Syracuse  University.  Syracuse,  New  York  K^244 
{ skchin , k j  ayaram , sbolder }®syr . edu 


Abstract,  Partner  key  iiiaiiagenient  (PKM)  is  an  interoperable  cre¬ 
dential  management  protocol  for  online  coiiiuiercial  transactions  of  high 
value.  PKM  reinterprets  traditional  ])ublic  key  infrastructure  (PKI)  for 
u.se  in  high-v^ahie  coiiiiiiercial  tran.sactions,  which  require  additional  con¬ 
trols  on  the  use  of  credentials  for  authentication  and  authorization.  The 
ne(ul  for  atiditional  controls  is  met  by  the  u.se  of  partner  key  ])ractice 
statements  (PKPS).  which  are  machine-readable  policy  statements  prt'- 
cisc’ly  specifying  a  bank’s  policy  for  accepting  and  processing  payment 
ri‘qiu'st.s.  As  assurance  is  crucial  for  high-vahie  transactions,  we  use  an 
access-control  logic  to:  (1)  describe  the  protocol,  (2)  assure  the  logical 
coiisi.stency  of  the  operations,  and  (3)  to  make  the  trn.st  assumptions 
explicit. 

Keywords:  authentication,  authorization,  protocols,  trust,  logic. 


1  Introduction 

Authorizing  oiilino  high-value  coiiiiiiercial  transactions  requires  a  higher  level  of 
diligence  when  compared  to  consiinier  or  retail  traiisactioii.s.  A  single  high-value 
transaction  may  involve  the  transfer  of  hundreds  of  millions  of  dollars.  The  inher¬ 
ent  risk  associated  with  wholesale  online  hanking  compels  many  banks  to  require 
additional  security  beyond  aiithcnticating  users  at  login  tiin(\  Additional  secu¬ 
rity  often  takes  the  form  of  tighter  controls  and  limits  on  the  use  of  credentials. 
Ultimately,  ('acli  bank  trusts  itself  more  than  any  other  entity.  This  naturally 
leads  to  the  practice  of  banks  i.ssiiing  their  own  crt'dentials.  Historically,  a  cash 
manager  of  a  corporation  would  hold  separate  credentials  from  each  bank  with 
which  he  or  she  d('als.  While  this  serves  the  needs  of  commercial  banks,  as  cor¬ 
porations  w^aiit  to  simultaneously  hold  accounts  in  multiple  banks,  the  insi.stence 
upon  and  proliferation  of  unique  credentials  is  viewed  by  customers  ^is  poor  ser¬ 
vice.  Hence,  it  is  increasingly  important  for  global  financial  service's  providers, 
such  as  .JP  Morgan  Chase,  to  offer  credentials  that:  (1)  are  interoperable  to 
provide'  eui.stomer  convenience,  aiieJ  (2)  ine'et  the  nen'els  of  high-value  commercial 
transactions  in  terms  of  authe'iitication,  authorization,  anel  liability. 

Traelitional  Public  Ke'y  Infrastructure  (PKI)  credentials  wdiile  interoperable, 
alone  are  insiifficienit  to  snrinoiiiit  the  following  obstacles  inherent  to  the  use  of 
interoperable  credentials  in  high-value  transactions: 

I  Kotenko  and  V,  Skornnn  (Eds,):  MMM-ACNS  2010,  LNCS  0258,  pp.  109  182,  2010. 

©  Springer- Verlag  Berlin  Heitlelbeig  2010 


170 


G.  Benson  et  al. 


1.  Autonorny:  Interoperability  and  autonomy  are  in  tension  with  each  other.  An 
implication  of  interoperability  is  the  need  to  allow  audits.  For  example,  say 
Second  Bank  is  contemplating  recognizing  credentials  issued  by  First  Bank. 
Second  Bank  would  understandably  want  to  audit  First  Bank's  practices 
as  a  credential  issuer  against  Second  Bank’s  policies.  Understandably,  First 
Bank  would  be  reluctant  to  agree  to  audits  of  its  operations  by  competitors 
such  as  Second  Bank. 

2.  Liability:  Non-bank  issuers  of  PKI  credentials  neither  want,  nor  are  in  a  po¬ 
sition  to  accept,  liability  for  failed  high-value  transactions.  One  way  around 
this  is  for  a  bank  to  issue  its  own  credentials  to  limit  risk  and  to  recognize 
only  the  credentials  it  issues;  however,  the  solution  is  not  interoperable  by 
definition. 

3.  Expense:  If  commercial  banks  were  to  recognize  non-bank  certificate  issuers 
for  higli-vahie  connnercial  transactions,  then  commercial  banks  would  need 
to  be  coiniected  to  the  non-bank  certificate  issuers.  This  is  an  added  oper¬ 
ational  expen.se  for  banks,  which  is  another  Imrrier  to  achieving  interoper¬ 
ability. 

In  this  paper,  we  describes  an  interoperable  certificate  management  protocol 
called  partner  key  management  (PKM).  PKM  is  designed  to  address  the  three 
obstacles  to  interoperability  of  credentials  in  high-value  transactions  described 
above.  Under  the  PKM  model,  each  bank  publishes  a  partner  key  practice  state¬ 
ment  (PKPS),  which  is  a  machine  readable  document  that  deseribes  the  bank’s 
policy  for  accepting  interoperable  credentials.  PKM  enables  each  bank  to  avoid 
liability  on  transactions  executed  at  any  other  bank,  while  preserving  creden¬ 
tial  interoperahility.  Furthermore,  PKM  supports  a  general  validation  model, 
where  each  corporation  need  only  connect  to  the  credential  issuers  to  which  it 
subscribes.  Moreover,  we  describe  the  certificate  management  protocol  using  an 
access-control  logic  to  prove  its  logical  consistency  and  also  to  make  the  under¬ 
lying  trust  assumptions  explicit. 

The  rest  of  this  pai)er  is  organized  as  follows.  Section  2  presents  the  PKM 
model,  PKPS,  and  sender  validation.  Section  3  defines  the  syntax,  semantics,  and 
inference  rules  of  the  logic  used  to  describe  and  reason  about  PKM.  Section  4 
is  an  overview  of  how  key  parts  of  PKPS  are  expressed  in  the  logic.  Section  5 
provides  an  extended  example  describing  and  analyzing  the  operation  of  PKM. 
Related  work  is  briefly  discussed  in  Section  6.  We  offer  conclusions  in  Section  7. 

2  Partner  Key  Management 

2.1  Credentials  Registration 

The  PKM  model  focuses  on  authorization  to  use  a  credential  as  opposed  to  secure 
distribution  of  a  credential.  As  an  analogy,  consider  mobile  phone  distribution 
logistics.  A  user  may  purchase  a  mobile  phone  from  any  distributor.  At  the  time 
that  the  user  physically  acquires  the  phone,  the  telecom  operator  does  not  know 
the  user’s  identity  and  does  not  allow  use  of  the  phone.  Subsequently,  the  user 
and  the  telecom  operator  agree  to  terms  of  use;  and  the  mobile  phone  operator 
authorizes  the  phone’s  connection  to  the  telecom  network.  In  the  PKM  model, 
the  credential  plays  the  role  of  the  phone,  and  the  bank  plays  a  similar  role  to 
the  telecom  operator. 


Credentials  Manageuieiit  for  H igli- Value  lYatisact  ions 


171 


111  PKM,  the  user  first  obtains  a  credential  from  a  credential  distributor.  The 
cr(’(l(Mitial  distributor  has  the  resj^ionsihihty  to  distribute  ‘secure*  (T('deiitials  un¬ 
der  a  definition  of  secmrity  defined  by  the  operator.  For  example,  one  o])erator 
may  only  distribute  certificates  on  .secured  USB  devices,  while  another  operator 
may  distribute  software  for  self-signed  certificates.  After  obtaining  a  credential, 
th('  ii.ser  submits  a  recpiest  to  each  of  his  or  her  banks  to  allow  use  of  the  cre¬ 
dential.  On  this  step,  the  bank  has  two  responsibilities.  First,  the  bank  must 
securely  assure  it.self  of  th('  user's  true  identity.  S(X'ond,  the  bank  niiist  examine 
the  (Tedeiitial  to  determine  if  th('  credential  meets  the  bank's  standards.  For 
example,  some  banks  may  prohibit  credentials  other  than  certificates  that  resich' 
ill  a  secured  hardware  token.  If  the  bank  accepts  the  credential,  then  the  bank 
authorizes  the  credcaitial  to  represent  the  user.  The  us(t  may  use  the  same  cre¬ 
dential  with  multiple  banks  by  appropriately  registering  the  credential  with  the 
respective  Imiiks.  The  authorization  i)rocess  may  vary  between  the  banks.  Each 
bank  may  have  its  owui  oi)erational  policy  governing  the  conditions  in  wdiich  it 
a(‘cepts  the  credentials  ba.sed  upon  the  bank's  i)ublished  operating  rules. 

In  efhx  t,  till'  credentials  are  interoperable,  and  banks  have  the  lilx'rty  to  follow 
their  own  proc('dure  for  ac(‘e[)tiiig  the  credc'iitials  and  allowing  users  to  em|)lov 
those  credentials.  Tlu'  re.snlt  is  an  infr^ustrncture  that  allows  the  possibility  of  in¬ 
teroperability  without  mandating  interoi^c'rability.  If  two  banks  agnv  to  accei)t  a 
single  credential,  then  that  credential  would  interoperate  between  the  two  banks. 
No  bank  needs  to  rely  upon  any  other  bank  or  extcM  iial  credential  j)rovider. 


2.2  Partner  Key  Practice  Statement 

Banks  participating  in  the  FKM  model  j^iiiblish  an  XML  document  called  the 
Partner  Key  Pracliee  Statement  (PKFS).  which  is  written  using  \VS-Poli(‘V  [!]• 
A  PKPS  defiiK's  how  a  cori)oration  and  a  bank  agr('e  to  work  together,  as  gov¬ 
erned  by  their  inutnally  agixx'd  iij^on  s(x*urity  j)rocedur(\s.  The  corporation  and 
the  bank  have  the  frecxlom  to  impose  almost  any  conditions  to  which  they  mutu¬ 
ally  agree,  j)rovided  that  the  conditions  do  not  require  unsnpportable  program¬ 
ming  logic.  Idle  list  below  presents  .some  examples  types  of  information  that  may 
appear  in  a  PKPS: 

1.  Credential  Media:  The  definition  of  the  credential  inc'dia  may  mandate'  a 
smart  card,  USB  token,  HSM,  ldPS-140-2.  or  a  software  credential. 

2.  Credential  Providir:  This  item  contains  the'  list  of  cn'dential  providers  to 
whic'h  the  corporation  and  the  bank  imitnally  .siibscrib(‘.  Exami)le  providers 
are  third  party  trusted  providers,  self-sigiu'd  certificates,  the  corporation's, 
or  the  bank's  own  infrastnu  tiire. 

d.  Revocation:  The  n'vocation  definition  desc:ril)es  tlu'  type  of  permissible  cn'¬ 
dential  n'vocatioii  mechanism,  e.g..  certificate  revocation  list  (CRL).  online 
certificate  status  ])rolocol  (OCSP)  [2],  etc.  The  revocation  definition  also 
describes  the  party  re.si)onsibie  for  enforcing  credential  revo(‘ation;  and  it 
describes  any  sj)e('ific  usag('  i)ra('tice.  P'or  exanii^le.  the  revocation  mecha- 
uisiii  may  mandate  that  t  he  recipient  of  a  signature  validate  a  CRL  .sigiu'd 
by  a  particular  party. 

4.  Timestamp:  llie  timestamp  definition  defines  tiniestaiii])  rules  and  the  time.s- 
tamp  provider,  if  any.  The  timestami)  definition  may  si)ecify  a  real-time 


172 


G.  Benson  et  al. 


threshold  value.  The  recipient  must  ensure  that  it  receives  and  validates  a 
signature  before  the  threshold  timelimit  after  the  timestamp.  For  example,  a 
six  hour  threshold  value  means  that  the  recipient  must  validate  a  signature 
before  six  hours  expires  after  the  timestamp. 

5.  Signature  Policy:  The  PKPS  can  specify  the  number  of  signatures  required 
for  a  specific  type  of  transaction,  and  the  roles  of  signatories.  An  example  of 
a  signature  policy  is  one  which  requires  both  an  individual  signature  and  a 
corporate  ''system”  signature  in  order  to  consider  either  signature  as  valid. 

6.  Credential  Technology:  A  certificate  that  supports  the  X.fiOfi  standard  is  an 
obvious  choice  for  interoperability.  However,  additional  technologies  such  as 
the  portable  security  transaction  protocol  (PSTP)  [3]  exist,  and  the  PKPS 
may  specify  alternative  technologies. 

The  security  requirements  mutually  agreed  to  by  the  bank  and  the  corporation 
arc  reflected  in  a  specific  PKPS,  or  possibly  a  list  of  PKPSs,  The  security  re¬ 
quirements  may  mandate  that  the  corporation  must  attach  the  PKPS  on  c<ich 
signed  transaction  in  order  to  consider  any  signature  valid. 

2.3  Revocation 

This  paper  presents  three  example  validation  models.  A  bank’s  PKSP  should 
define  the  model  that  a  particular  bank  allows. 

1.  Receiver  validation:  The  receiver  validation  model  is  typically  used  in  a 
PKI  model.  First,  Alice  submits  a  signed  transaction  to  the  bank.  Upon  re¬ 
ceipt,  the  bank  validates  Alice’s  signature  against  a  CRL  or  OCSP  responder 
managed  by  the  certificate  provider. 

2.  Sender  validation  without  evidence:  Alice  submits  signed  transactions 
to  the  bank,  but  the  bank  j)erforms  no  revocation  check.  Alice’s  company 
and  the  bank  manage  Ali(‘('’s  credential  using  mechaiiisni  outside  the  scope 
of  the  signed  transaction. 

3.  Sender  validation  with  evidence:  Alice  submits  her  certificate  to  an 
OCSP  responder,  and  obtains  a  response  signed  by  the  OCSP  responder. 
Alice  signs  the  transaction  and  the  OCSP  response,  and  then  submits  to  the 
bank.  The  bank  validates  both  Alice’s  signature  and  the  OCSP  responder’s 
signature.  If  the  bank  finds  no  error,  then  the  bank  accepts  the  transaction. 

Each  bank  ha.s  the  opportunity  to  allow  any  of  the  three  examj^le  models,  or 
build  its  own  variant  model.  Multiple  banks  may  all  accept  the  same  creden¬ 
tial  from  Alice,  while  requiring  diffc^rent  revocation  mod  els.  The  second  model, 
sender  validation  without  evidence,  merits  further  discussion.  If  Alice  proves  to 
be  an  untrustworthy  person,  then  Alice’s  company  reserves  the  right  to  disable 
Alice’s  credential.  For  example,  if  Alice  has  a  gambling  problem,  then  autho¬ 
rized  representatives  of  Alice’s  company  should  contact  each  of  its  banks  with 
the  instruction  to  stoj)  allowing  Alice’s  credential.  Another  use  case  which  also 
results  in  credential  disabling,  is  one  where  Alice  contacts  each  bank  because  she 
suspects  that  her  own  credential  was  lost  or  stolen. 

An  OCSP  responder,  or  a  certificate  revocation  list  is  iiKnely  a  revocation 
mechanism  optimized  for  scalability.  As  opposed  to  requiring  the  Alice’s  com¬ 
pany  to  contact  each  of  its  banks,  an  OCSP  responder  or  Certificate  Revocation 


Credentials  Management  for  High- Value  Transactions 


17:i 

List  provides  a  centralized  rei)o8itory  which  handles  certificate  revocation.  The 
advantage  of  the  OCSP  responder  or  certificate  revocation  list  is  sealability  as 
opposed  to  security.  If  Alice  were  authorized  to  transact  on  accounts  at  hundreds 
or  thousands  of  banks,  then  the  second  model  (sender  validation  without  evi¬ 
dence)  would  not  be  practical.  However,  in  practice,  wholesale  banking  does  not 
need  such  enonnous  scalability.  Rather.  Alice  typically  works  with  just  a  handful 
of  banks.  Although  Alice's  conii)any  may  find  the  credcmtial  disabling  process  to 
be  relatively  tedious  because  tlu'  company  needs  to  contact  each  of  the  banks  in 
the  handful,  we  normally  find  that  corporations  employ  the  credential  disabling 
process  relatively  infrecpiently. 

In  practice,  corporations  tend  to  contact  each  of  their  banks  whenever  a  user's 
credential  changes  status,  even  if  the  bank  happens  to  use  the  traditional  receiver 
validation  model.  In  facd,  some  banks  require  imniediatc  notification  of  such 
evcaits  in  their  operating  model.  Intuitively,  if  the  corporation  ceases  to  trust 
Alice  to  authorize  high-value  transactions,  then  the  corporation  probably  wants 
to  contact  each  of  its  banks  directly. 

Both  the  .second  and  the  third  models  assume  sender  validation,  as  opposed  to 
receiver  validation.  An  advantage  of  sender  validation  is  that  it  better  handles 
expense.  Suppose,  for  example,  a  corporation  agrees  to  the  services  of  a  new 
credential  distributor.  Credential  interoperability  encourages  a  dynamic  market 
by  allowing  the  corporation  the  freedom  to  choose  any  acceptable  credential 
distributor,  in  the  receiver  validation  model,  the  corporation  could  not  use  that 
credential  with  its  bank  until  the  bank  agrees  to  build  an  online  connection  to 
the  credential  distributor’s  OCSP  responder  or  certificate  revocation  list.  In  the 
s(Mider  validation  models,  on  the  other  hand,  the  corporation  may  immediately 
use  the  credential  with  the  bank  without  waiting  for  the  costly  and  possil)ly  slow 
technology  developiiunit  process. 

3  An  Access-Control  Logic  and  Calculus 

We  use  an  a(‘cess-control  logic  to  describe  and  rc^ason  about  the  validity  of  acting 
on  payment  instruetions.  This  section  introduces  the  syntax,  semantics,  and 
inference  rules  of  the  logic  wc'  use. 

3.1  Syntax 

Principal  Exprcfisions.  L<'t  P  and  Q  range  over  a  collection  of  principal  expres¬ 
sions.  Let  A  range  over  a  countable  set  of  sinii)le  principal  names.  The  abstract 
syntax  of  principal  expressions  is: 

P  a  /  PkQ  /  P\Q 

The  priiK'ipal  PfcQ  ('‘P  in  conjunction  with  Q")  is  an  abstract  principal  making 
exactly  those  statements  made  by  both  P  and  Q\  P  \  Q  (“P  quoting  Q  ’)  is  an 
abstract  principal  corre.sponding  to  principal  P  quoting  principal  Q. 

Access  Control  Statements.  The  abstract  .syntax  of  statements  (ranged  over  by 
is  defined  as  follows,  where  P  and  Q  range  over  principal  expressions  and  p 
ranges  over  a  countable  set  of  prvpositional  variables: 

if  ::=  p  j  -iv?  /  -^1  A  v?2  /  >^1  V  v?2  /  <^1  <^2  /  >^1  =  'P2  ( 

P  ^  Q  /  P  says  ^  f  P  controls  j  P  reps  Q  on 


174 


G.  Benson  ot  al. 


Informally,  a  forimila  P  Q  (pronounced  “P  speaks  for  Q’')  indicates  that 
every  statement  made  by  P  can  also  be  viewed  as  a  statement  from  Q.  A  formula 
P  controls  cp  is  syntactic  sugar  for  the  implication  (P  says  (^)  D  in  effect,  P  is 
a  trusted  authority  with  respect  to  the  statement  <p.  P  reps  Q  on  ^  denotes  that 
P  is  Q  s  delegate  on  it  is  syntactic  sugar  for  (P  says  {Q  says  ip))  D  Q  says  ip. 

Notice  that  the  definition  of  P  reps  Q  on  is  a  special  case  of  controls  and  in 

effect  asserts  that  P  is  a  trusted  authority  with  respect  to  Q  saying  ip. 

3.2  Semantics 

Kripke  structures  define  the  semantics  of  formulas. 

Definition  1.  A  Kripke  structure  M  is  a  three-tuple  (IT, /,  J),  where: 

—  W  is  a  nonempty  set,  whose  elements  are  ealled  worlds. 

—  /  :  PropVar  — ►  V{\V)  is  an  interpretation  funetion  that  maps  eaeh  propo¬ 
sitional  variable  p  to  a  set  of  worlds. 

—  J  :  PName  V{W  x  IK)  is  a  funetion  that  maps  eaeh  prineipal  name  A 

to  a  relation  on  worlds  (i.e.,  a  subset  of  W  x  \V ). 

We  extend  J  to  work  over  arbitrary  prineipal  expressions  using  set  union  and 
relational  composition  ;is  follows: 

7(p&g)  =  J{P)ijj{Q) 


where 


./(P)  o  J(g)  =  {(ii7i,u»2)  I  ,  1//)  G  J{P)  and  e  7(g)} 


Definition  2.  Eaeh  Kiipke  .strueture  M  =  {\V,I,J)  gives  rise  to  a  funetion 

SMl-]:Form  -^V{\V), 

where  the  set  of  worlds  in  whieh  ip  is  considered  ti-ue.  i'^  defined 

induetively  on  the  stmeture  of  ip,  as  shown  in  Figure  1. 

Note  that,  in  the  definition  of  SmIP  ^ays  ip].  J{P){iv)  is  simply  the  image  of 
world  w  under  the  relation  ./(P). 


3.3  Inference  Rules 


In  practice,  relying  on  the  KrijDke  semantics  alone  to  reason  about  policies  and 
behavior  is  inconvenient.  Instead,  inference  rules  are  used  to  manipulate  formulas 
in  the  logic.  All  logical  rules  must  be  sound  to  maintain  consistency. 


Definition  3.  A  rule  of  form  — — -  is 
M  =  (IK,/.  J),  ifSMlHt]  =  IK  for  eaeh  i  e  {1 


sound  if  for  all  Kripke  stnietures 
. p},  then  -  IK. 


The  rules  in  Figures  2  and  3  are  all  sound.  If  sound  rules  are  used  throughout, 
then  the  conclusions  derived  using  the  inference  rules  are  sound,  too. 


Cr(‘<i(Mitials  Maiiagomont  for  High-Value  "lYansactioiis 


175 


=  I  ip) 

^  (p'il  =  [ipi]  n  fMl^2\ 

^YmI'Pi  3  'PiJ  =  I'Pi  I)  U  Iip2ll 

iv^  J  =  ip2l  -  ^,VI  lipi  D  >^21  ^Ai  l''p2  3  'p  ll 


£mU'  =  {b'' 


if  J(Q)  C  ./(/>) 
othrrwiso 


says  {ii-|./(P)(uO  C 

€mI^  controls  ^  says  v?)  D  ^1 

i\vt  |/*  reps  Q  on  =  5  mI^'  j  Q  says  ^  D  Q  says  ,^]| 


Fig.  1.  Sei  nan  ties 


Taut - — ^ 

'P 


Xfodus  Tonrns 
Ml*  Says 


if  Kp  is  an  instaiu'e  of  a  prop- 
l<)gir  tautology 


P  D  •r 


Says 


P  says  y? 


(P  says  (ip  3  'P'))  3  (P  says  p>  D  P  says  p') 
Speaks  For 


Quottny 


P  =>  Q  3  (P  says  p  3  Q  says  p) 


P  I  Q  says  p  ^  P  says  Q  says  p 


ki  Say.' 

Id<'Tn]>ntf'nry  of  => 


Pk'Q  says  p  =  /*  says  p  A  says  p 

P'  ^  P  Q'  ^  Q 


P  =>  P 


Monotnrt7.(:ity  »/l 


/>'  I  y  =i.  P  I  Q 


/l.ssoruatti'ity  o/  | 


P  :  (g  P)  says  p 
(P  I  g)  I  P  says  p 


P  controls  p  —  (P  says  p)  3  p 
P  reps  Q  on  p  *=  P  |  Q  says  p  3  g  says  p 
Fig.  2.  Core  Iiifeieiiee.  Rules 


4  Expressing  Statements  and  the  PKPS  in  Logic 

With  the  dcHnitioii  of  tlic  syntax  and  semantics  of  access-control  logic,  we  pro¬ 
vide  an  int.rodn(‘tioii  to  expr(\ssiiig  actual  paynieiil  instructions  and  tlu'  PKPS 
ill  logic. 

Stuivments  and  Certificatvs:  Statements  and  requests  are  inad('  by  principals. 
R(‘(iuests  are  logical  statements.  For  example,  say  Alice  wants  to  transfer  $10^ 
dollars  from  acrt\  to  acc(2>  If  (ti'ansfer  l()^\arr/i,  acct2)  denotes  the  proposition 
it  is  justifiable  to  transfer  $10’*  fi'oni  orct  i  to  acct2.  tiieii  wo  can  repn'sent  Alice's 
rccpiest  as  Alice  says  {transfer  10^,  ncrYi ,  acc/^)-  Credentials  or  certificates  an' 
statements,  usually  sigiK'd  with  a  cryptographic  key.  For  example,  assume  wv 


176 


G.  Benson  et  al. 


Quoting  (t) 


P  I  Q  says  if 
P  says  Q  says 


Quoting  (2) 


P  says  Q  says  9 
P  I  Q  says  if 


Controls 


P  controls  (f  P  says  ^ 


DenveA  Speaks  For 


P  =>  Q  P  says 
Q  says 


Reps 


Q  controls  P  reps  Q  on  -P  I  Q  says  tp 


Rep  Says 


P  reps  Q  on  ifi  P  \  Q  says  tfi 
Q  says 


Fig.  3.  Derived  Rules  Used  in  tliis  Paper 

believe  Kca  tli^  key  used  by  certificate  authority  CA.  With  this  belief,  we 
would  interpret  a  statement  made  by  Kca  eoine  from  CA.  In  particular,  if 
Kca  says  {KAUce  =>  Alice)^  we  would  interpret  this  public  key  certificate  signed 
by  K  CA  having  come  from  CA. 

Authority  and  Jurisdiction:  Jurisdiction  statements  identify  who  or  wliat 
has  authority,  speeifie  privileges,  powers,  or  rights.  In  the  logic,  jiiris- 
dietion  statements  usually  are  controls  statements.  For  example,  if  Al¬ 
ice  has  the  right  to  transfer  a  $10^  dollars  from  arc^i  to  acct2.  we 
say  A/ice  controls  (frans/er  10®,  arr/i ,  arr^2)-  If  Alice  has  jurisdiction  on 
{transfer  10®,  accfi, arr^2)  ^-nd  Alice  requests  {transfer  10®,accii ,  arr<2),  then 
the  Controls  inference  rule  in  Figure  3  allows  ns  to  infer  tlu*  soundness  of 
{transfer  10®,  arct].  acet^). 


Alice  contro\s  {transfer  10^ ,  acetic  ac.ct  2)  Alice  says  {transfer  acet  i  ^  acet  2) 

{transfer  ]0^  ^  accti ,  acct2) . 


Proxies  and  delegates.  Often,  something  or  somebody  makes  the  requests  to  the 
guards  protecting  the  resource  on  behalf  of  the  actual  j)rincipals,  who  are  the 
sources  of  the  requests.  In  an  electronic  transaction,  a  cryptographic  key  is  used 
as  a  proxy  for  a  principal.  Recall  that  Kqa  says  {KAhce  ^  Alice)  is  a  public 
key  certificate  signed  with  the  public*  key  Kca  the  certification  authority. 
The  certification  authority’s  key,  Kca^  installed  on  the  computer  using  a 
trustworthy  key  distribution  process,  and  the  trust  in  the  key  is  captured  using 
the  statement  Kca  CA.  If  we  get  a  certificate  signed  using  Kca^  then  we 
would  attribute  the  information  in  that  certificate  to  CA.  For  example,  using  the 
Derived  Speaks  For  rule  in  Figure  3  we  can  conclude  that  certificate  authority 
CA  vouches  for  K Alice  bcniig  Alice’s  public  key: 


h'cA  =>  CA  Kca  says  {Kaiicc  =>  Alice.) 

CA  says  =>  Alice). 

K Alice  Alice  is  a  statement  of  trust  on  K Alices  where  all  statements  made 

by  K Alice  attributed  to  Alice.  However,  in  some  situations,  a  principal  may 

be  trusted  only  on  specific  statements.  For  example,  K Alice  trusted  on 

a  statement  requesting  a  transfer  of  a  million  dollars.  Howewer,  Kaucc 
not  be  trusted  on  a  statement  K^ob  Bob.  This  notion  of  a  constrained 


Credentials  Management  for  High-V^ahie  Transactions 


177 


Fig.  4.  Partner  key  management 


delogatu)!!,  where  a  priiicij)ars  delegates  is  trusted  on  specific  statements,  is 
described  ii.sing  reps  formulas.  For  example,  if  f\  Alice  trusted  to  be  Al- 
ic('‘s  delegate  on  the  statement  (/ru/ns/rr  ucr/i ,  cicc/o),  we  would  write: 

Alter  reps /ttice  on  {ii'misfer  10^,  i .  (icrt2)  • 

From  the  semantics  of  reps,  if  w('  recognize'  1\  Alice  Alice's  delegate,  iu  effe'ct 
we  are  saying  that  Kahcc  trusted  on  Alice  stating  that  she  wishes  a  million 
dollars  to  be  transferred  from  acct\  to  (icrt2-  If  f^AUcc  Alice  says  transfer 
a  million  dollars  from  acct\  to  (icctz,  we  will  conclude  that  Alice  has  made  the 
reepiest.  Using  the  Rep  Saijs  rule  in  Figure  3  we  can  conclude: 


Alter  reps  Alice  on  (frnrj.s/er  10^’,  accf  i .  aerf 2) 
Alter  !  Alice  says  {tran.sf  cr  \0^ ,  nccti ,  acet^) 
Alice  says  {transfer  10^^,  ncc/ 1 ,  nrrf  2)- 


5  An  Extended  Example 

In  this  section,  we  illustrate  PKM  with  a  hypotlu'tical  example.  Suppose  Alice 
is  a  cash  manager  who  works  for  the  Widget  Corporation.  Further  suppose  that 
Widget  uses  three  banks:  First,  Second,  and  Third  Bank.  Snp)po.se  the  three 
banks  us('  different  procedures  for  authorizing  credentials,  which  the  Widget 
corporate  Tlx'asiirer  finds  acce])table.  Both  First  and  Second  Banks  use  the  PKM 
model,  while  for  explanatory  purposes  only,  assume  that  Third  Bank  uses  the 
PKl  model.  Both  First  and  Second  Bank  allow  Alice  to  obtain  a  credential 
from  any  provider,  while  Third  Bank  requires  Ali('e  to  obtain  a  credential  from 
a  specific  certificate  authority  that  we  will  refer  to  as  (CA).  Therefore,  Alice 
obtains  a  certificate  from  CA  that  can  be  used  with  all  the  Three  banks.  Because 
First  and  Second  Banks  use  PKM,  Alice  registers  the  certificate  with  both  the 
banks.  First  and  Second  Bank  dc'seribe  their  procedure  for  accepting  certificate's 
in  a  partner  key  practice  statement  (PKPS).  Both  First  Bank  and  Second  Bank 
reciuire  Alice  to  submit  a  signed  PKPS  along  with  each  transaction.  First  Bank 
recpiires  Widget  to  check  for  revocation  prior  to  Alice  sending  the  payment 
instruction.  There  is  a  mutual  agreement  of  sender  liability  if  Widget  does  not 
check  for  revocation  before  affixing  the  signature.  Second  Bank  requires  Alice 
to  sign  an  OCSP  response  obtained  from  the  certificate  provider,  and  S('cond 
Bank  will  validate  Alice's  certificate  using  the  OCSP  response.  Third  Bank  uses 


178 


C.  Boiisoii  et  al. 


<pkps:pkps  id  »  First> 
<wsp:poliCYattachment> 

<wsp:appliesto> 

<pkps.requester> 

<pkps:any/> 

</pkps.requester> 

<pkps:receiver> 

First 

</pkps:recelver> 
</wsp;appliesto> 

<wsp:policy> 

<wsp;all> 

<pkps  validationmodel> 

<pkps  sender-no-evldence/> 
</pkps:validation-model> 
</wsp:all> 

</wsppoliCY> 
</wsp:policYattachment> 

</pkps:pkps> 

Fig.  5-  First  Bank:  Payment  instruction,  eri-  Fig.  6.  First  Bank's  PKPS 

tit  lenient,  and  operating  rules 


Payment  instruction: 

1.  K Alice  says  {traiififer  lO*’, f2cc#i.accf2) 

2.  K  Alice  says  {First  Hank  P  K  PS  Anne  stamp) 

Entitlement: 

1.  Alice  controls  (transfer  10^,  accti ,  acct2) 

Mutually  Agreed  Operational  Rules: 

1.  First  controls  (KAhce  =>  Alice) 

2-  K Alice  says  {First  Bank  PK PS Ainar stamp) 
D  {K AhceV alidated,  timestamp) 

3.  {K Ahce^' (illdaXed,  timestamp) 

D  {First  says  K Alice  =>  Alice) _ 


the  traditional  PKI  model,  so  there  is  no  PKPS  involved.  Also,  Third  Bank 
uses  a  receiver  validation  model,  so  Third  Bank  will  connect  to  the  CA’s  OCSP 
responder  to  validate  the  certificates. 

We  will  use  the  access-control  logic  (Section  3)  to  describe  in  detail  the  oper¬ 
ations  of  the  three  banks  for  a  hypothetical  transaction,  in  which  Alice  requests 
a  transfer  for  $10^  from  Widget's  account  to  a  different  account.  For  each  bank, 
we  provide  a  derived  inference  for  justifying  the  bank’s  decision  to  act  on  the 
payment  instruction.  The  proof  of  these  derived  inference  rules  are  a  direct  appli¬ 
cation  of  the  inference  rules  described  in  Section  3.3.  Our  objective  is  to  primarily 
show  the  differences  between  PKI  and  PKM  with  respect  to  how  the  credentials 
are  managed.  We  use  the  access-control  logic  to  show  the  logical  consistency  of 
the  operations  and  also  to  make  the  inntually  agreed  operating  rules  explicit. 
Important  note:  In  the  hypothetical  example,  Alice  requires  an  entitlement 
to  request  a  transaction.  The  methods  comnioiily  used  by  banks  to  issue  such 
entitlements  to  Alice  are  outside  the  scope  of  this  paper.  For  the  purpose  of  our 
illustration,  we  will  assume  that  Alice  has  the  necessary  entitlement. 


5.1  First  Bank 

Figure  5  contains  an  example  payment  instruction  for  First  Bank,  The  pay¬ 
ment  instruction  comprises  two  statements,  (1)  a  statement  signed  using  K Alice 
recpiesting  transfer  of  $1  million,  (2)  First’s  PKPS  (Figure  G)  and  timestamp 
signed  using  K Alice ^  As  per  the  mutually  agreed  operational  rules,  First  has  the 
authority  for  authorizing  Alice  to  use  K Alices  First  issues  such  an  authoriza¬ 

tion  when  K Alice  i^^  validated.  According  to  First’s  PKPS,  the  sender  is  expected 
to  validate  KaUcc  prior  to  the  transaction,  and  First  assumes  that  the  K Alice 
is  validated  appropriately  when  Alice  signs  First’s  PKPS  with  h Alice-  The  fol¬ 
lowing  derived  inference  rule  justifies  the  bank’s  decision  to  act  on  the  payment 
instruction. 


Cmloiitials  Manageiiietit  for  Higli- Value  Transactions 


171) 


<pkps  pkps  icl»Second> 
<wsp:policyattachment> 

<wsp:appliesto> 

<pkps  fequester> 

<pkps:any/> 

</pkps  requester> 

<pkps  receiver> 

Second 

</pkps:receiver> 

</wsp.appliesto> 

<wsp:policy> 

<wsp  all> 

<pkps  revocation> 

<pkps:sender  with  evidence/> 
</pkps  revocation> 

</wsp;all> 

</wsp  policy> 

</wsp  policyattachment> 

</pkps:pkps> 

Fig.  7.  S(‘C()ii(l  I^aitk:  Paymettl  iiist  nictioii.  Fig.  8.  Second  liank's  l^KI^S 

entitlenient,  and  operating  rules 


Payment  Instruction: 

1.  l\  says  {tran.sfcr  Uf  ^nrcti^aciti) 

2.  {I\  u,,,-  I  f\c,\)  says  {f\  d.tttm  stamp) 

3  A  says  {Sr<(m<l  lUivk  f*K  f*S.timi  stamp) 

Entitlement: 

1  l/jVf  controls  {transfer  \Vf\ticrt  \  .nedi) 

Mutually  Agreed  Operational  Rules 
1.  Srcorul  controls  K  \i,,  t  >  1/ht 

2  /\  f  •  4  ( '.'I 

3.  A  says  {Sdrmd  Hank  Hh  f'S.  time  stamp)  D 

t  controls  {f\  .\i,,t^^'oUdatrd.  timestamp)  A 
A  \[,,f  reps  f\(\\  on  {l\  ,.\[,c,y(didatr(l.  time  stamp) 

4  {I\  ididafedjimcstamp) 

Second  says  A'.t/,,,.  =>  Alice 


f^Atn  r  says  {^rn77.s/pr  1 0^’ ,  nrr^  i .  nrrf 2) 

H  Alter  says  {F'irst  Bank  P  K  PS, timestamp) 

Aliei  controls  {transfer  ,  aeet  i ,  neet  2) 
f'irst  controls  ^  Alice 

H  Ahrr  says  {First  Bank  P f\  PS.  timestamp)  D  {K Ait>  .A'fihdatetl.  tnne.stamj}) 
{K  Ainr^  nhdati  <1,  tiniestanip)  D  {Fij'.st  says  A*  Atn'c) 

First  Bank  - - - ; - - - ^ - 

{tran.s f  er  10'* .  aeet  1 ,  «rr/2) 


5.2  Second  Bank 

Th(‘  payiiient  iiist ruction  for  Second  Bank,  in  Figure  7,  comprises  three  state¬ 
ments,  (1)  a  statement  signed  using  Kaucc  requesting  transfer  of  $1  million,  (2) 
CA*s  OeSP  r(\spon.s('  for  I\Aijre  signed  using  f\  Alices  («^)  PKPS  (Figure  8)  and 
timestamp  signed  using  I\Ai,fr-  Second  Bank  lirus  authority  for  authorizing  Alict' 
to  use  I\  Alices  similar  to  the  First  Bank,  but  list's  the  sender- validation-wit  h- 
cvideiK'e  model  for  validation.  When  K Alice  i^igns  Sc'CoikFs  PKPS,  both  jiartk's 
HgK'e  to  two  operating  nik's  for  validating  K Alice-  First.  CA  has  antliority  for 
validating  A'^/kv  •  Second,  f\Ahr(  a  recognized  delegate  of  I\(\j\  for  relaying 
the  OeSP  response  for  K Alice-  "1  l^e  following  derived  inference  rule  Justifies  the 
bank’s  decision  to  act  on  tlu'  payment  instruction. 

Faiu*  says  {transfer  10^ .  occt  i ,  aert  2) 

(A\^^,,.,  1  Kc'a)  says  Ac/, /mi7’.s/a777;>) 

F  Aitrr  says  {Second  Bank  PK PS,  timestamp) 
controls  {trenisfer  10^ .  aert  i ,  acrt2) 

Second  con tTols  h  Alter  Alice 

i<c  A  t 

KAhr,  says  {Second  Bank  PK PS.timi  stamj))  D 
{CA  controls  {K Ah.  r  Validol t  d,  timestamp)  A 

h'Altrr  reps  KtA  OH  {  l\  Al  tre^  ohdat  cd ,  1 1  TUC  sta  171  p)  } 

{l\  Aitrr^  ahdntcd,  timestamp)  D  Second  says  f\Atn  t  Alter- 
{transfer  \0^.accti.n<<t2) 


Ser  rmd  Bank 


180 


G.  Bonson  ct  al. 


5.3  Third  Bank 

The  payment  iiintruction  for  Third  Bank,  in  Figure  9,  is  a  statement  signed  us¬ 
ing  K Alice  for  requesting  a  transfer  of  $1  million.  Third  Bank  believes  in  the 
jurisdiction  of  the  CA  for  identifying  the  Key  of  Alice.  When  Third  Bank  re¬ 
ceives  the  public  key  certificate  for  KAl^ce^  it  validates  it  by  connecting  to  CA's 
OeSP  responder.  On  successful  validation,  Third  Bank  is  convinced  that  K Alice 
belongs  to  Alice.  For  the  sake  of  brevity,  we  do  not  describe  the  actual  validation 
process  in  the  logic.  Moreover,  doing  so  does  not  change  the  trust  assumptions, 
more  specifically  does  not  affect  Third  Bank  s  belief  in  CA’s  authority.  The  fol¬ 
lowing  derived  inference  rule  justifies  the  bank's  decision  to  act  on  the  payment 
instruction. 


Third  Bank 


hi Alici'  says  {transfer  SlO^,  accii) 
Alice  controls  {transfer  $10®,accti) 
Kca  says  K AUcr  ^  Alice 
Kca  =>  CA 

CA  controls  ^  Altce 

{transfer  10^,  accti ,  arrf2) 


Payment  Instruction: 

1  h'Aitce  says  {transfer  }{f\accti,acct2) 

Entitlement 

1.  Alice  controls  {transfer$l{f‘.accti) 

Public  Key  Certificate 
1  Kca  says  KAhrr  Alur 

Trust  Assumptions: 

1  Kc'a  ^  CA 

2.  CA  controls  K Ahcr  ^  Alice 


Fig.  9.  Third  Bank:  Payment  instruction,  entitlement,  certificates,  and  trust  assunii)- 
tions 

5.4  Analysis 

The  traditional  PKl  model  is  characterized  by  the  following  three  statements: 

1.  KeycA  ^  CA  Trust  in  the  root  key  of  the  CA 

2.  CA  controls  (Acy  =>  Principal)  CA's  .Jurisdiction 

3.  KeycA  says  [Key  =>  Principal)  Certificate 

Users  triLst  that  the  root  key  belongs  to  the  CA.  Trust  in  the  key  of  the  root 
CA  must  be  established  by  a  trustworthy  key  distribution  process.  The  CA  has 
jurisdiction  over  statements  associating  a  key  with  a  particular  principal  and 
issues  PKI  certificates,  each  of  which  is  a  statement  signed  by  the  root  key  that 
associates  the  key  with  a  particular  priiiciiial.  The  PKl  model  does  not  deal  with 
authorizations,  and  authorization  is  considered  the  responsibility  of  the  relying 
party  (RP).  Moreover,  validation  is  also  seen  as  the  responsibility  of  the  RP,  and 
does  not  involve  the  user. 

The  PKM  model  is  characterized  by  the  following  two  statements: 

1.  Bank  controls  {Key  Principal)  Bank’s  Jurisdiction 

2.  {Key.  V alidated)  D  Bank  says  (Key  =>  Principal)  Bank  issues  authorization 


Cmlnitials  ManagomeiU  for  Iligli-Vahu'  Transactions 


181 


The  PKM  niodol  blends  autlieiitication  with  aiitliorizatioii.  and  Banks  have  tlu’ 
anthority  for  anthciiticating  and  authorizing  the  nse  of  credentials.  TIk'  user  has 
the  freedom  to  obtain  credentials  from  any  provider,  but  the  Banks  veint('rj)ret 
the  eredoiitials  in  constrained  manner,  which  could  vary  between  hanks.  In  con- 
trasl  to  th('  PKl  model,  the  validation  process  for  th('  crechaitials  is  explicit  and 
involves  tlu*  user,  supporting  non-re])udiation  claims.  In  effect,  PKPS  maj)s  tlu* 
conimoii  interpn'tation  of  PKI  ('red('ntials  into  tlie  mon'  constrained  and  con¬ 
trolled  int(*rpr('tation  required  by  bai^ks  for  high-vahu'  commercial  transactions. 


6  Related  Work 

Then*  are  several  XML  schemas  for  specifying  web  service  policies  and  privacy 
j)olicics.  WS-Policy  [1]  is  a  \V3C  standard  for  specifving  wi'b  service  policies  for 
.security,  (juality  of  service,  nies.saging.  etc.  WSPL  [1]  has  similar  motivations, 
but  is  not  an  accepted  \V‘^C  standard.  P3P  enables  a  web  site  to  pnblisli  its 
priva('V  practice  in  a  machine  leatlabk*  format,  which  all  browsers  can  read  and 
warn  their  respective  irs('rs  if  tlu*  privacy  ])racti(‘('  of  a  web  site  is  incompatible 
with  a  irser's  pev.sonal  preference  [5].  Our  work  relates  to  existing  XML  .schemas 
for  s[)ecilying  web  service'  and  privacy  i)olicies  by  providing  a  formal  semantics 
with  sound  inference  rules  for  describing  ])oli('ies.  The  b('nefit  of  onr  work  is 
banks  can  rigorously  justify  acting  on  ])aymciit  instructions  based  on  policies 
and  trust  a.s.suniptions. 

.Ion  Ohu's  [()]  tlescrilx’s  an  approach  that  ofh'rs  interoperability  l)y  using  a 
trusted  third  party  called  the  validation  authority  (VA).  The  VA  is  trusted  by 
both  tlu'  (^As  and  relying  party  (HP),  which  receives  tlie  cnulentials.  Each  V^A 
vouches  for  the  CAs  it  handles,  and  the  HP  can  validate  all  the  credentials  from 
tlu*  CAs  by  connecting  to  a  single'  VA.  While  this  model  provides  intero|)(*rabihty 
with  respe'ct  to  CAs  vouched  for  by  a  particular  VA.  it  limits  the  HI^  and  its  cus¬ 
tomers  to  f)nly  tho.se  CAs.  In  contrirst,  PKM  impo.ses  no  such  restrictions;  Banks 
us('  any  CAs  tluw  want.  Moreover,  the  PKM  model  reinte'rprets  the  anthority  of 
credc'iitials  in  a  constrained  and  controlled  manner. 

1  ox  and  LaMac'chia  [7]  describe  an  alternative  to  OCSP  for  online  (  ('rtificatc* 
status  clu'cking.  Any  mc'thod  similar  to  OCSP  that  rcxinirc'S  the  HP  to  connect 
to  the  CA  for  validating  the'  certificates.  ne)t  only  bre'aks  intcn'e)perability.  but 
also  imposc's  a  significant  cost  em  the  HP.  In  ce)ntrast.  PKM  supports  a  general 
valielation  model,  including  a  seneler  validation  model,  which  in  conjunc‘tie)n  with 
the*  reintcTpretation  e)f  authority,  scales  bette^r,  })rovidc\s  interoperability,  anel 
rc'clucc's  the*  co.st  for  the  RP. 

Onr  work  is  re'lated  io  sc'veral  logical  systcuns  iiseel  for  reasc^uing  about  acea'ss- 
cemtrol  that  are  snmmanze'el  in  [8].  The  access-contre)!  le)gic  we  use  is  ba,s('d  e)n 
Abadi  and  Plotkin's  work  [9],  with  nioelifications  clescribc'cl  in  [10]. 

7  Conclusion 

The*  c'onunon  iuterpretatie)n  of  PKl  credentials  is  j)re)l>lc'niatic  for  banks  c*n- 
gaged  in  high- value  ecunmcncial  transactions.  F^n  tne'r  key  management  (PKM), 
through  the  use  of  partner  key  prac'tice  stateme'nts  (PKPS),  reintc'rprc'ts  PKI 


182 


G.  Benson  ct  al. 


credentials  to  address  the  problems  of  scope  of  authority,  liability,  and  cost  in¬ 
herent  to  high-value  commercial  transactions.  The  failure  of  any  single  high- 
value  transaction  can  bring  severe  consequences  to  banks.  Thus,  it  is  essential 
that  the  policies  and  requirements  regarding  the  use  of  credentials  in  high- value' 
conuncrcial  transactions  be  as  i)recise  and  accurate  as  possible.  To  nn'ct  this  re¬ 
quirement,  we  have  expres.sed  PKI,  PKPS,  and  PKM  policies  and  interpretations 
ill  an  access-control  logic  with  formal  semantics  and  sound  inference  rules.  This 
enables  banks  and  their  customers  to  know  precisely  what  is  re(|uired  of  them 
and  to  justify  acting  on  payment  instructions.  Our  experience  to  date  indicates 
that  using  this  logic  is  w'ithin  the  capabilities  of  practitioners  and  does  in  fact 
clarify  the  underlying  logic  of  credentials  and  their  use  in  high-value  commercial 
transactions. 


References 

1.  Vedamuthii,  A.S.,  Orchard,  D.,  flirsch,  F.,  Hondo,  M.,  Yendliiri,  P.,  Boiibez,  1 
Yalc^inalp,  U.:  Web  services  policy  1.5  -  framework  (September  2007), 

http ‘ //www , w3 , org/TR/ws-policy/ 

2.  Myers,  M.,  Ankney,  R.,  Malpani,  A.,  Galperin,  S.,  Adams,  C.:  X.509  Internet  Pub¬ 
lic  Key  Infrastructure  Online  Certificate  Status  Protocol  -  OCSP.  hi:  RFC  2560 
(Proposed  Standard)  (June  1999) 

3.  Benson,  G.:  Portable  security  transaction  protocol.  Coiny)iit.  Netw.  51(3),  751  766 
(2007) 

1.  Anderson,  A.H.:  An  introduction  to  the  web  services  policy  language  (wspl).  In: 
POLICY  (2001) 

5.  Cranor,  L.,  Dobbs,  B.,  Egelmaii,  S.,  Hogbeii,  G.,  Hiiinphrey,  J.,  Langheinrich,  M., 
Marchiori,  M.,  Prcslcr-Marsliall,  M.,  Reagle,  J.,  Schunter,  M.,  Stampley,  D.A., 
Wenning,  R.:  The  platform  for  privacy  preferences  1.1  (p3pl.l)  specification. 
(November  2006),  http://www.w3.org/TR/P3Pll/ 

6.  Olnes,  J.:  DNV  VA  white  paper:  PKI  interoperability  by  an  indepeiideiit,  trusted 
validation  authority.  In:  5th  Animal  PKI  R  D  Workshop  (April  2006) 

7.  Fox,  B..  LaMacchia,  B.A.:  Online  certificate  status  checking  in  financial  transac¬ 
tions:  I'lie  case  for  re-issnance.  In:  FC  (1999) 

8.  Ahadi,  M.:  Logic  in  access  control  (tutorial  notes),  145  165  (2009) 

9.  Abadi,  M.,  Burrows,  M.,  Lampson.  B.,  Plotkin,  G.:  A  Calculus  for  Access  Con¬ 
trol  in  Distributed  Systems.  ACM  TVansactions  on  Programming  Languages  and 
Systems  15(4),  706  734  (1993) 

10.  Chin,  S.K..  Older,  S.:  Reasoning  about  delegation  and  account  access  in  retail 
payment  systems,  hi:  MMM-ACNS  (2007) 


A  New  Hard  Problem  over  Non-commutative  Finite 
Groups  for  Cryptographic  Protocols 


Dmitriy  N.  Moldovyan  and  Nikolay  A.  Moldovyan 

St.  Petersburg  Institute  for  Inrormiitics  and  Automation  of  Russian  Academy  of  Sciences, 
14  Liniya,  39.  St.  Petersburg  199178,  Russia 
mdn . spectr@mai 1 . ru 
http; //www.spiiras .nw.ru 


Abstract.  A  new  computationally  diflicult  problem  dclined  over  non-commu- 
tative  finite  groups  is  proposed  as  cryptographic  primitive.  The  problem  is  used 
to  con.struet  public  key  agreement  protocol  and  algorithms  for  public  and  commu¬ 
tative  encryption.  Finite  non-commutative  groups  of  the  four  dimension  vectors 
over  the  ground  held  are  constructed  and  investigated  as  primitives  for  imple¬ 
menting  the  protocols  and  algorithms  based  on  the  proposed  difheult  problem. 

Keywords:  public  key  cryptography,  difficult  problem,  finite  non-eommiitativc 
groups,  public  key  distribution,  public  encryption,  commutative  encryption. 


1  Introduction 

Factorization  and  finding  discrete  logarithm  arc  two  of  the  most  widely  used  in  the 
publie  key  cryptography  difficult  problems.  The  second  problem  is  used  in  the  official 
signature  standards  [1|.  However  both  of  this  problems  can  be  solved  in  polynomial 
time  on  a  quantum  computer  [2].  Quantum  computing  develops  from  theoretic  models 
towards  practical  implementations  therefore  cryptographers  look  for  some  new  hard 
problems  that  have  exponential  complexity  while  using  both  the  ordinary  eomputers 
and  the  quantum  ones  [3,4].  Sueh  new  difficult  problems  have  been  defined  over  braid 
groups  representing  a  partieular  type  of  infinite  non-eommutative  groups.  Using  the 
braid  groups  as  cryptographic  primitive  a  number  of  new  publie  key  cryptosystems 
have  been  developed  [5,6].  Unfortunately,  results  of  the  paper  [7]  show  weakness  of  the 
conjugacy  search  problem  used  in  the  braid  group  based  eryptographie  protocols. 

Present  paper  introduces  a  new  hard  problem  defined  over  finite  non-eommutative 
groups  and  deseribes  the  public  key  cryptosehemes  constructed  using  the  propo.sed 
hard  problem  that  combines  the  discrete  logarithm  problem  with  the  eonjugaey  search 
problem.  There  is  also  presented  a  theorem  disclosing  the  local  structure  of  the  non- 
eommutative  group,  which  is  exploited  in  the  proposed  hard  problem.  Then  eonerete 
type  of  the  non-eommutative  finite  groups  is  constructed  over  finite  four-dimension 
vector  space. 

2  New  Hard  Problem  and  Its  Cryptographic  Applications 

Suppose  for  some  given  finite  non-commutative  group  P  containing  element  Q  po.s.sess- 
ing  large  prime  order  q  there  exists  a  method  for  easy  selection  of  the  elements  from 

I.  Kotenko  and  V.  Skormin  (Eds.):  MM.M-ACNS  2010.  LNCS  6258,  pp.  18.V194.  2010. 

@  Springer- Verfag  Berlin  Heidelberg  2010 


184 


D.N.  Moldovyan  and  N.A.  Moldovyan 


sufficiently  large  commutative  subgroup  6  F.  One  can  select  a  private  key  as  the 
pair  (VF,.v)  containing  a  random  clement  W  6  F^^^^  such  that  W  oQ  ^  QoW ,  where  o 
denotes  the  group  operation,  and  a  random  number  jc  <  q  and  then  compute  the  public 
key  Y  =  W  oQ^  oW~^  (note  that  it  is  easy  to  show  that  for  arbitrary  value  x  the  in¬ 
equality  W  oQ^  ^  oW  holds).  Finding  pair  (VV',jc),  while  given  F,  F^^,  Q,  and  F,  is 
a  computationally  difficult  problem  that  is  suitable  to  design  new  public  key  cryptosys¬ 
tems.  The  problem  suits  also  for  designing  commutative  encryption  algorithms.  While 
constructing  cryptoschemes  on  the  basis  of  this  hard  problem  there  is  used  the  mutual 
commutativity  of  the  exponentiation  operation  and  the  automorphic  mapping  operation 
9vv(F)  =  W  oV  o\V  ,  where  V  takes  on  values  of  all  elements  of  the  group  F.  The  com¬ 
mutativity  of  these  two  operation  can  be  expressed  by  the  equality  (pvv(F'^)  =  (9w(F))'^. 
Indeed,  it  is  known  [8]  that 

WoK'oW"'  =  (WoKoW')'". 

The  public  key  agreement  protocols  can  be  constructed  as  follows.  Suppose  two 
users  have  intension  to  generate  a  common  secret  key  using  a  public  channel.  The  first 
user  generates  his  private  key  {W\  ,.vi),  computes  his  public  key  F]  =  VFi  o  o 
and  sends  Y\  to  the  second  user.  The  last  generates  his  private  key  (W2,.Y2)»  computes 
his  public  key  F?  =  VF2  o  VF2  ^  and  sends  F2  to  the  first  user.  Then,  like  in  the 
Diffie-Hellman  protocol  [9],  the  first  user  computes  the  value 

A:,2  =  W|o(K2f' oW“'  =W|o(W2  0(2'2oVV2  oW“‘  = 

=  W,  o  W2 O 0^2“' oW“'. 

The  second  user  computes  the  value 

Kjt  =  W2  O  (r,  )'2  O  =^2  0  [Wi  o  Q'l  o  Wf'  )■'-  o  uv'  = 

=  VV2  o  Wi  o  o  Wf  ‘  o  W2  ' . 

The  elements  W\  and  W2  belong  to  the  commutative  subgroup  F^j,,  therefore  K2\  = 
K\2  =  K,  i.e.  each  of  the  users  has  generated  the  same  secret  K  that  can  be  used,  for 
example,  to  encrypt  confidential  messages  send  through  the  public  channel. 

Suppose  a  public-key  reference  book  is  issued.  Any  person  can  send  to  some  user  a 
confidential  message  M  using  user’s  public  key  F  =  VF  o  ,  where  VF  and  x  are 

elements  of  user’s  private  key.  For  this  aim  the  following  public  key  encryption  scheme 
can  be  used,  in  which  it  is  supposed  using  some  encryption  algorithm  controlled 
with  secret  key  K  representing  an  element  of  the  group  F. 

1 .  Sender  generates  a  random  element  U  ^  ^ab  and  a  random  number  w,  then  com¬ 
putes  the  elements  R  =  U  oQ*  o  U~^  and 

K  =  UoY“oU-'  =Uo{WoQ'^oW-'y  oU-'  =U  oWoQ'^oW  ‘of/-'. 

2.  Using  the  element  K  as  encryption  key  and  encryption  algorithm  Ef(  sender  en¬ 
crypts  the  message  M  into  the  cryptogram  C  =  Fk{M).  Then  he  sends  the  cryptogram 
C  and  element  R  to  the  user. 

3.  Using  the  element  R  the  user  computes  the  encryption  key  K  as  follows  K  — 
WoR’^oW-'  =  W  o[u  oQ'oU'^y  oW  '  =  Wo(yo(2'“o(;-' oW-‘.  Then  the  user 
decrypts  the  cryptogram  C  as  follows  M  =  Ff,  '(C),  where  is  the  decryption  algo- 
rithm  corresponding  to  the  encryption  algorithm  Fk^ 


A  New  Hard  Problem  over  Non-commutative  Finite  Groups 


185 


The  proposed  hard  problem  represents  some  combining  the  exponentiation  proce¬ 
dure  with  the  procedure  defining  the  group  mapping  that  is  an  automorphism.  These 
two  procedures  are  commutative  therefore  their  combination  can  be  used  to  define  the 
following  commutative-encryption  algorithm. 

1 .  Represent  the  message  as  element  M  of  the  group  T. 

2.  Encrypt  the  message  with  the  first  encryption  key  (IVj  ,ei ),  where  W\  G  Ty^.  e\  is  a 
number  invertible  modulo  ///,  and  ni  is  the  least  common  multiple  of  all  element  orders 
in  the  group  T,  as  follows  C)  =  W|  o  o  . 

3.  Encrypt  the  cryptogram  C\  with  the  second  encryption  key  (VVS,e2),  where  UA  G 
Tab,  €2  is  a  number  invertible  modulo  ///,  as  follows 

C,2  =  VV2  o  IV2  '  =  W2  o  IV|  o  W,  '  o  W2  ' . 

It  is  easy  to  show  the  encrypting  the  message  M  with  the  second  key  {W2.e2)  and  then 
with  the  first  key  (W|  ,ej)  produces  the  cryptogram  C21  =  C12,  i.e.  the  last  encryption 
procedure  is  commutative. 


3  On  Selection  of  the  Elements  from  Commutative  Subgroups 

In  the  cryptoschemes  described  in  previous  section  the  first  element  of  the  private  key 
.should  be  selected  from  some  commutative  group.  A  suitable  way  to  define  such  selec¬ 
tion  is  the  following  one.  Generate  an  element  G  G  T  having  sufficiently  large  prime  or¬ 
der  g  and  define  selection  of  the  element  IV  as  selection  of  the  random  number  1  <\y  <  g 
and  computing  W  =  .  Using  this  mechanism  the  private  key  is  selected  as  two  ran¬ 

dom  numbers  vv  and  x  and  the  public  key  is  the  element  Y  —  G^  o  oG  .  One  can 
easily  show  that  for  arbitrary  values  \v  and  a'  the  inequality  G"'  o  ^  o  G*'  holds. 

For  security  estimations  it  represents  interest  haw  many  different  elements  are  gen¬ 
erated  from  two  given  elements  G  and  Q  having  prime  orders  g  and  q,  respectively.  The 
following  theorem  gives  a  reasonable  answer  to  this  question. 

Theorem  1.  Suppose  elements  G  and  Q  oj  some  non-commutative  finite  ^roup  T  have 
the  prime  orders  g  and  q,  correspondingly,  and  satisfy  the  following  expressions  G  o 
Q  QoG  and  K  o  Q  Qo  K,  where  K  ~  G  o  Qo  G~^ .  Then  all  of  elements  Kj  j  =- 
G^  oQ‘  o  G~f  where  i  =  1,2 . —  1  and  j  =  1,2 . g,  are  pairwise  different. 

Proof  It  is  evident  that  for  .some  fixed  value  j  the  elements  Kjj  -  G^  o  Q'  o  G  K  where 
i  =  1,2,. ..  compose  a  cyclic  subgroup  of  the  orders/.  Condition  AToQ  0oA'  means 
that  element  K  is  not  included  in  the  subgroup  Tq  generated  by  different  powers  of  Q. 
Suppose  that  for  some  values  A  i*  ^  i,  y,  and  f  ^  j  elements  and  Kjf y  are  equal,  i.e. 
G-'  oQ  o  G  ^  —  G^  oG  .  Multiplying  the  both  parts  of  the  last  equation  at  the 
right  by  element  G^  and  at  the  left  by  element  G~^  one  gets  Q‘  =  G^  oQ‘  oG 
The  subgroup  T^  has  the  prime  order,  therefore  its  arbitrary  clement  different  from 
the  unity  element  is  generator  of  T^),  i.e.  for  /'  <q—\  the  element  P  =  Q‘  generates 
subgroup  Vq.  Taking  this  fact  into  account  one  can  write 

{Q')'=(Gj'  J  oQ''  oG-^eny  ^Gj'^JoQ''^oG  '•j'  =G^'~->oP'oG 


186  D.N.  Moldovyan  and  N.A.  Moldovyan 


The  last  formula  shows  that  mapping  {P  ^)  =  J  oP^oG  maps  each 

element  of  Vq  in  some  element  of  Vq.  The  mapping  y  (F^^)  is  bijection,  since  for 
Z=  1 ,2,. the  set  of  elements  composes  the  subgroup  r(;.  Thus,  the  mapping 
(p^/  j  (F^)  is  a  bijection  of  the  subgroup  F^  into  itself. 

Since  order  of  the  element  G  is  prime,  there  exists  some  numbers  =  (/  —  j)~^  mod  g 
for  which  the  following  expressions  hold  G  =  and 

<PG (r^)  =  cp^(j/  jy  (r^)  =  tPp-/-;  i^Gi'  I  •••)); 

li  bijections 

where  the  mapping  is  represented  as  superposition  of  u  mappings  9^;/  y(F^),  The 
superposition  is  also  a  bijection  of  the  subgroup  F^  into  itself,  since  the  mapping 
cp^/  j  (F(2)  is  the  bijection  F^  into  F^.  Therefore  the  following  expressions  hold: 

K^GoQoG-^=i?G{Q)erQ  =>  KoQ^QoK. 

The  last  formula  contradicts  to  the  condition  K o  Q  ^  Qo  K  of  the  theorem.  This  con¬ 
tradiction  proves  Theorem  1 .  □ 

Accordingly  to  Theorem  1  there  exist  {q  —  \  )g  different  elements  Z/y  ^  E,  where  E  is 
unity  element  of  F.  Together  with  the  unity  element  E  they  compose  g  cyclic  subgroups 
of  the  order  q  and  each  of  elements  Z^y  ^  E  belongs  only  to  one  of  such  subgroups. 

4  Non-conimutative  Finite  Rings  of  Four-Dimension  Vectors 

Different  finite  rings  of  m-dimension  vectors  over  the  ground  field  GF{p)^  where  p  is  a 
prime,  can  be  defined  using  technique  proposed  in  f  1 0].  The  non-commutative  rings  of 
four-dimension  vectors  are  defined  as  follows.  Suppose  e,  i,  j,  k  be  some  formal  basis 
vectors  and  (i,b,c\d  G  GF{p),  where  p  >  3,  are  coordinates.  The  vectors  are  denoted 
as  ae -h /7i  T  d  4- or  as  {ciJyjC\d).  The  terms  iv,  where  T  G  GF{p)  and  v  G  {e,i,j,k}, 
are  called  components  of  the  vector. 

The  addition  of  two  vectors  (ajy^c.d)  and  \')  is  defined  via  addition  of  the 

coordinates  corresponding  to  the  same  basis  vector  accordingly  to  the  following  formula 

{aj},c,d)  T  (.v,y,z,  v)  =  (^7  -f-X-,/? -f  y,r  + 1’)- 

The  multiplication  of  two  vectors  ac  f  /7i  4-  rj  -f  zw'  and  ac  +  yi  4-  rj  +  defined  as 
multiplication  of  each  component  of  the  first  vector  with  each  component  of  the  second 
vector  in  correspondence  with  the  following  formula 

{ae-\-  h\  f  rj  4-zw)o  (jre4- ji  4  q  4-  v'k)  =  o  e  4-  o  e  +  c.vj  o  e  4- ^/xk  o  e4- 
4-flce  o  j  F  fci  o  j  4-  e  g  o  j  4-  Jzk  o  j4-  cive  o  k  -f  />vi  o  k  4  cvj  o  k  +  dvk  o  k, 

where  o  denotes  the  vector  multiplication  operation.  In  the  final  expression  each  prod¬ 
uct  of  two  basis  vectors  is  to  be  replaced  by  some  basis  vector  or  hy  a  vector  containing 
only  one  non-/cro  coordinate  in  accordance  with  the  basi.s-vector  multiplication  table 


A  New  Hard  Problem  over  Non-commuiative  Finite  Groups 


187 


Table  1.  The  basis-vector  multiplication  table 


o 

~e 

C 

-  -+ 

j 

1 

■—4 

e 

e 

i 

j 

k 

T 

j 

,i 

-  TC 

k 

k 

—  e 

i 

k 

k 

-i 

“Xe 

(BVMT)  defining  associative  and  non-commutative  multiplication.  There  are  possible 
different  types  of  the  BVMTs,  but  in  this  paper  there  is  used  the  BVMT  of  some  partic¬ 
ular  type  shown  in  Table  I .  For  arbitrary  value  T  €  GF{p)  Table  1  defines  formation  of 
the  non-eommutative  finite  ring  of  four-dimension  vectors.  In  the  defined  ring  the  vec¬ 
tor  (1 .0,0,0)  plays  the  role  of  the  unity  clement.  For  implementing  the  eryptoschemes 
described  in  wSeetion  2  it  repre.sents  interest  to  consider  the  multiplicative  group  F  of  the 
con.strueted  non-eommutative  ring.  To  generate  the  eleinents  Q  and  G  of  sufficiently 
large  orders  it  is  required  computing  the  group  order  Q  that  is  equal  to  the  number 
of  invertible  vectors.  If  some  vector  A  =  is  invertible,  then  there  exists  its  in- 

versesA  ^  =  (.v,y,z,v)  for  which  the  following  formula  holds  A  oA  ’—£  =  (  1 ,0,0.0). 
This  vector  equation  defines  the  following  system  of  four  linear  equations  with  four 
unknowns  .V.  y,  and  v: 

ax  -  Thy  -  cz  —  Tdv  =  I 
hx  T  ay  —  cv  —  0 
cx  I  xefy  -f  az  —  xbv  =  0 
(Ix  —  cy  T  hz  -\-av  =  0. 

If  this  .system  of  equations  has  solution,  then  the  vector  {a,b,c\(I)  is  invertible,  other¬ 
wise  it  is  not  invertible.  The  main  determinant  of  the  system  is  the  following  one 


A(A)  = 


a  -xb  c  -Xcl 
b  a  —d  c 
c  xd  a  Xh 
d  —c  h  a 


(2) 


Computation  of  the  determinant  gives 

A(A)  =  {iF  -{-xlr  -f-  T  xd^Y .  (3) 

Counting  the  number  of  different  solutions  of  the  congruence  A(A)  =  0  mod  p  one  can 
define  the  number  N  of  non-invertible  vectors  and  then  define  the  group  order  12  = 
//  —  N.  The  indicated  eongrucnce  has  the  same  solutions  as  the  congruence 

a"  T  xhr  q-  -f  =  0  mod  p.  (4) 

Statement  1.  For  prime  />  =  4A:  +  1,  where  k  >  1  and  x  /  0,  the  order  of  the  non- 
commutative  group  of  the  four-dimension  vectors  is  equal  to  12  =  p{p  —  I  )(/r  —  1 ). 


188 


D.N.  Moldovyan  and  N.A.  Moldovyan 


Proof.  For  primes  p  =  4^  -f  1  the  number  —  1  is  a  quadratic  residue,  since  ( —  1  = 

(_  1  )2^'  =  I  p  Therefore  there  exists  number  A,  such  that  =  —  1  mod  p  and  con¬ 
gruence  (4)  can  be  represented  as  follows 


cr  —  (Ar)^  =  t((A/?)^  P' 

{a  —  Ac)(fl  -f  At)  =  t  {(kb)^  —  d^)  mod  /;; 
aP  =  t((A/7)2-r/2)  mod/?, 


where  a  =  a  — Xc  mod  p  and  P  =  «  +  Ac  mod  p.  It  is  easy  to  see  that  for  each  pair  of 
numbers  (a.  P)  satisfying  the  last  congruence  correspond  unique  pair  of  numbers  {a,c) 
satisfying  congruence  (4).  Therefore  the  number  of  solutions  of  congruence  (4)  can  be 
computed  as  number  of  solutions  of  the  last  equation.  Two  cases  can  be  considered. 
The  first  case  corre.spond  to  condition  (kb)^  —d^^O  mod  p  and  there  exist  (/?  —  1  of 
different  pairs  {b,d)  satisfying  this  condition.  For  each  of  such  pairs  (b,d)  for  all  (/?—!) 
values  a  ^  0  mod  p  there  exists  exactly  one  value  P  such  that  the  last  congruence  hold.s. 
Thus,  the  first  case  gives  A^i  =  {p  —  \  )^  different  solutions  of  congruence  (4). 

The  second  case  correspond  to  condition  (AZ?)^  —d^  =  0  mod  p  which  is  satisfied 
with  2p—  1  different  pairs  {b.d).  The  left  part  of  the  last  congruence  is  equal  to  zero 
modulo  p  in  the  following  subcases  i)  a  ^  0  mod  p  and  P  =  0  mod  p  {p  —  \  different 
variants),  ii)  a  =  0  mod  p  and  p  ^  0  mod  p  (there  exist  p  —  1  different  variants),  and 
iii)  a  =  0  mod  p  and  p  =  0  mod  p  (one  variant).  Thus,  the  subcases  gives  2/7—1  differ¬ 
ent  variants  of  the  pairs  (r/,c),  therefore  the  second  case  gives  A^2  =  (2/7  —  1  different 
.solutions  of  congruence  (4).  In  total  we  have  N  =  N\  -\~  N2  =  {p  —  \  (2/7—  1)^ 

p^  p^  —  P  solutions.  The  value  N  is  equal  to  the  number  of  non-invertible  vectors  and 
defines  the  group  order  Q.  =  p"^  —N  =  p^  —  p^  —  p^  p  =  p{p—  1)(/?^  —  1 ).  Statement 
1  is  proved.  □ 

Statement  2.  Suppose  prime  p  =  4k  3,  where  k  >  1 ,  T  7^  0,  and  the  value  T  is  a 
quadratic  non  ~ residue  modulo  p.  Then  the  order  of  the  non-commutative  group  of  four- 
dimension  vectors  is  equal  to  Q  =  p{p  —  ^)ip^  ~~  i  )* 

Proof  For  primes  p  =  4k  3  the  number  —1  is  a  quadratic  non-residue,  .since 
(_!)(/>  l)/2  _  ^_|)2/:+i  _  _j  Since  the  value  T  is  a  quadratic  non-residue  the 

following  formulas  hold:  =  —1  mod  p  and  (— =  i  mod  p.  The  last 

formula  shows  that  there  exi.sts  number  A  such  that  A^  =  — T  mod  p  and  congruence  (4) 
can  be  repre.se nted  as  follows 

a^  —  {kb)^  =  {kd)^  —c^  mod  /?; 

(a  —  kb) (a  T  kb)  =  (kd)^  —  mod  p\ 
y8  =  (kd)^  —d~  mod  p. 


where  y  =  a  —  kb  mod  p  and  8  =  a-\-kb  mod  p.  Then,  counting  different  solutions  of 
the  la.st  equation  is  analogous  to  counting  solutions  in  the  proof  of  Statement  1.  This 
gives  N  =  p^  4-  p^  —  p  different  solutions  of  congruence  (4)  and  the  group  order  Q.  = 
_!)(/, 2-1).  □ 


A  New  Hard  Problem  over  N on-commutative  Finite  Groups 


189 


5  Homomorphism  of  the  Vector  Group 

There  exists  a  homomorphism  of  the  group  of  four-dimension  vectors  P  into  the  field 
GF{p). 

Theorem  2.  Suppose  the  vector  A  takes  on  all  values  of  the  elements  of  the  group  P. 
The  determinant  (2)  defines  the  homomorphism  \|/(A)  =  A(A)  of  the  group  P  into  the 
field  GF{p). 

Proof  Let  us  consider  the  vector  equation 


AoX-P  (5) 

over  the  four-dimension  vector  space  {P},  where  A  is  an  invertible  vector  and  P  is  an  ar¬ 
bitrary  vector.  Since  A(A)  7^  0  (see  formula  (2)),  the  equation  (5)  has  unique  solution  for 
each  vector  P.  Therefore  multiplication  of  the  vector  A  by  all  vectors  P  €  {P}defines  a 
linear  transformation  of  {P}.  The  matrix  Ma  of  eoeflicients  of  the  system  of  equa¬ 
tions  ( 1 )  can  be  put  into  correspondence  to  Ta  (see  determinant  of  this  matrix  in  formula 
(2)).  Another  invertible  vector  B  defines  the  transformation  corresponding  to  analo¬ 
gous  matrix  The  vector  multiplication  operation  is  associative,  therefore  we  have 

(A  o oX  =  A  o  (fioX).  (6) 

The  left  part  of  formula  (6)  represents  the  linear  transformation  TaoH  corresponding  to 
the  matrix  Maoh-  The  right  part  of  formula  (6)  is  the  superposition  T^^Ta  of  linear 
transformations  and  Ta,  therefore  we  have 

TaoH  —  Th^Ta  =>  Maob  —  MaMb 
A(Ao/i)  =  A(A)A(^). 

The  last  expression  means  that  the  mapping  v|/ :  A  — ^  A(A)  is  the  homomorphism  of  the 
group  P  into  the  field  GF{p).  Theorem  2  is  proved.  □ 

Using  different  BVMT  defining  associative  multiplication  of  the  m-dimension  vectors 
dehned  over  the  finite  fields  C/F(/r'),  where  .v  >  1 ,  one  can  define  different  finite  vector 
groups,  commutative  [  1()|  and  non-commutative.  Theorem  1  can  be  easily  extended  to 
all  of  such  vector  groups,  i.e.  the  determinant  A(A)  of  the  system  of  equations  providing 
computation  of  the  inverses  of  the  vector  A  defines  the  homomorphism  of  any  of  such 
groups  into  the  field  GF{p^). 

This  homomorphism  should  be  taken  into  account  while  selecting  the  parameters  of 
the  public  key  agreement  protocol  and  of  the  public  encryption  algorithm  based  on  the 
proposed  hard  problem.  Indeed,  in  the  case  of  using  the  group  P  the  vector  Q  should 
have  the  order  q  such  that  q\p  f  1  and  ^  —  1.  In  this  case  the  homomorphism  maps 

the  public  key  into  the  unity  clement  of  the  field  GF(p),  This  is  stated  by  the  following 
statement. 

Statement  3,  If  the  vector  V  has  the  order  cov/  such  that  gcd(cov/./7  —  1 )  —  1.  then 
A{V)-\. 

Proof  Suppose  A(P)  7^  1 .  Then  we  have 


190  D.N.  Moldovyan  and  N.A.  Moldovyan 


{A(V“v')  =  1  and  A(V“^)  =  (ACV)*^}  =i>  (A(V')"‘  =  1  ^ 

^gcd(cov./7-  1)^1. 

The  last  expression  contradicts  to  the  condition  gcd((0v,/7—  1)  =  1  of  the  statement. 
This  contradiction  proves  Statement  3,  □ 

In  the  ca.se  of  incorrect  selection  of  the  vector  Q  the  secrete  key  (x,  W)  can  be  computed 
by  parts  solving  two  independent  hard  problems,  the  discrete  logarithm  problem  and 
the  conjugacy  .search  problem.  For  example,  suppose  the  vector  Q  has  the  order  q  such 
that  q\p  —  1 .  Then  wc  have 

A(y)  -  A(W)(A(e)r  (A(W))-'  =  (A((2)r , 

where  A{Q)  ^  1 ,  and  the  value  x  can  be  found  solving  the  discrete  logarithm  problem  in 
GF{p).  Then  the  value  W  can  be  found  solving  the  conjugacy  search  problem  defined 
by  equation  Y  =  W  oV  oW  ^  where  Y  and  V  =  are  known  vectors.  The  di.screte 
logarithm  can  be  found  in  polynomial  time  using  the  known  algorithm  for  quantum 
computations  proposed  by  P.  Shor  [2].  Therefore  using  the  quantum  computer  the  pro¬ 
posed  problem  can  be  reduced  in  polynomial  time  to  the  conjugacy  search  problem,  if 
q\p-\. 

In  the  case  of  large  prime  order  (o{Q)  =  q  such  that  q\p  +  1  and  q  )(p  —  \  this  attack 
does  not  work.  Since  the  conjugacy  .search  problem  is  considered  as  a  primitive  for 
post  quantum  cryptography  and  the  propo.sed  problem  in  the  case  q\p^~\  is  harder  than 
both  the  dicrete  logarithm  and  the  conjugacy  search  problem  we  suppose  the  proposed 
cryptoschemes  effectively  resist  the  quantum  attacks. 


6  Complexity  of  the  Private-Key  Computation  in  a  Particular 
Case 

Using  the  known  parameters  Q  and  G  having  the  orders  q  and  g  =  q  the  following 
algorithm  finds  the  private  key  {\v\x)  from  the  public  one  Y  —  G^''  oQ^  oG  ^  . 

1 .  For  all  values  j  =  1,2,.. .  compute  vectors  U  {j)  =  G^  oY  oG  ^  (difficulty  of  this 
step  is  2q  vector  multiplications). 

2.  Order  the  table  computed  at  the  step  1  accordingly  to  the  values  U {j)  (difficulty  of 
this  step  is  ^log2^7  comparison  operations). 

3.  Set  counter  /  1  and  initial  value  of  the  vector  F  =  ( 1 , 0, 0, 0). 

4.  Compute  the  vector  V  F  o  Q. 

5.  Check  if  the  value  V  is  equal  to  some  of  the  vectors  U{j)  in  the  ordered  table. 
If  there  is  some  vector  U{f)  =  F,  then  deliver  the  private  key  {\\\x)  =  (/,/)  and 
STOP.  Otherwise  go  to  step  6. 

6.  If  /  ^  q,  then  increment  counter  /  <—  /  +  1  and  go  to  step  4.  Otherwi.se  STOP  and 
output  the  message  INCORRECT  CONDITION.  (Difficulty  of  steps  5  and  6  does 
not  exceed  q  vector  multiplication  operations  and  <7 log2^  comparison  of)erations.) 

Overall  the  time  complexity  of  this  algorithm  is  about  3q  vector  multiplication  opera¬ 
tions  and  2q\og2q  comparison  operations,  i.e.  the  time  complexity  is  0{q)  operations. 


A  New  Hard  Problem  over  Non-commuiative  Finiie  Groups 


191 


where  (7(  )  is  the  order  notation.  The  algorithm  requires  storage  for  q  vectors  and  for 
the  same  number  of  l/?|-bit  numbers,  i.e.  the  space  complexity  is  0{q). 

This  algorithm  shows  that  the  80-bit  security  of  the  proposed  cryptosystems  can  be 
provided  selecting  80-bit  primes  q  and  g.  Such  prime  orders  of  the  vectors  Q  and  G  can 
be  get  using  81 -bit  primes  p. 

It  seems  that  element  G  having  composite  order  can  be  used  in  the  cryptoschemes 
described  above  and  this  will  give  higher  security,  while  using  the  given  fixed  modulus 
p.  However  this  item  represents  interest  for  independent  research. 

7  Experiments  and  Numerical  Illustrations 

Numerous  computational  experiments  have  shown  that  in  the  case  /?  =  4A;  T  3,  where 
k  >  1  and  T  0,  when  the  value  T  is  a  quadratic  residue  modulo  /?,  the  group  order  also 
equals  to  £2  =  p{p  —  \  ){p^  —  1 ).  However  the  formal  proof  of  the  last  fact  have  not  been 
found.  The  experiments  have  also  shown  that  for  given  modulus  p  the  structure  of  the 
non-commutative  group  of  four-dimension  vectors  is  the  same  for  all  non-zero  values 
of  the  structural  coefficient  t.  Here  under  structure  of  the  group  it  is  supposed  a  table 
showing  the  number  of  difl'erent  vectors  having  the  same  order  (O  for  all  possible  values 
(0.  In  the  case  of  the  commutative  finite  groups  of  four-dimension  vectors  the  group 
.structure  changes  with  changing  values  of  structural  coefficients.  The  experiments  have 
been  performed  using  different  other  variants  (than  Table  1)  of  the  BVMTs  defining 
non-commutative  groups  of  four-dimension  vectors  and  in  all  cases  the  same  struc¬ 
ture  and  the  same  group  order  have  been  get,  for  all  non-zero  values  of  the  structural 
coefficients. 

Defining  a  group  of  four-dimension  vectors  with  Table  1  and  parameters  x  =  1  and 
p  -  234770281 182692326489897  (it  is  a  82-bit  number)  one  can  easily  generate  the 
vectors  Q  and  G  having  the  prime  orders  q  —  g  11 7385 1 4059 1 346163244949  (it  is  a 
81 -bit  number;  q  =  (/?q-  1  )/2)  and  then  generate  vector  K  —  GoQoG 

Q-^{\  9772 1 689364623475468796, 1  ()462(X)49500285 1 0 1 6666 1 1 . 

9 1 34066345202870229306 1 , 1 903389503 1 9800446 1 986 1 0) ; 

G  =  (44090605376274898528561,33539251770968357905908. 

628494 1 89939543 1 6 1 994 1 4, 1 2 1 93 1 076 1 289994770300 14); 

G  •  = (4409060537627489852856 1 , 20 1 23 1 0294 1 1 723968583989. 

171920862188738010290483. 112839205053692849459883); 

K  -  (197721689364623475468796, 127324294038715727080605, 
205837389432865711027118, 169402831102520905889980). 

The  vectors  satisfy  the  conditions  G  oQ  ^  G  oQ  and  K  oQ  ^  QoK  (see  Theorem  1 ), 
therefore  they  can  be  used  to  implement  the  cryptoschemes  presented  in  Sections  2  and 
3.  It  is  ea.sy  to  generate  many  other  different  pairs  of  the  vectors  Q  and  G  po.sscssing  81- 
bit  prime  orders  q  and  g  and  .satisfying  the  condition  of  Theorem  1 .  The  least  common 
multiple  of  all  element  orders  in  the  constructed  group  is* 


m  -  1 2939853526 1883131 443362 1 28353893964593 1 692060 
964758959029747 1 969647376 . 


192  D.N.  Moldovyan  and  N.A.  Moldovyan 


The  exponent  e  of  the  encryption  key  for  commutative  encryption  algorithm  can  be 
selected  as  e  =  73647585195364617191 17.  Then  the  exponent  of  the  decryption  key  is 
computed  using  formula  d  =  mod  m: 

d  =  89694276304 1 648235 1 90449886895523243 1 090386202 
188967381064403670926661 , 

Accordingly  to  the  algorithm  for  computing  the  private  key  from  the  public  one,  which 
is  described  in  Section  6,  the  80-bit  security  of  the  proposed  cryptoschemcs  is  pro¬ 
vided  in  the  case  of  80-bit  primes  q  and  g.  In  this  case  the  difficulty  of  the  computation 
of  the  public  key  from  the  private  one  does  not  exceed  4000  multiplications  modulo 
81 -bit  prime.  In  the  corresponding  cryptoschemes  of  the  public  encryption  and  of  the 
public  key  agreement,  which  are  based  on  elliptic  curves,  the  difficulty  of  computing 
the  public  key  from  the  private  one  is  equal  to  about  2400  multiplications  modulo  160 
prime.  Taking  into  account  that  difficulty  of  the  modulo  multiplication  is  proportional 
to  squared  length  of  the  modulus  one  can  estimate  that  the  proposed  cryptoschenies  are 
about  2.4  times  faster  than  analogous  schemes  implemented  using  elliptic  curves.  Be¬ 
sides,  performance  of  the  proposed  cryptoschems  can  be  significantly  enhanced  defin¬ 
ing  computation  of  the  secrete  element  W  as  a  sum  of  small  powers  of  G,  for  example, 
W  =  1^=1  p,G'^  where  p,  €  GF(/;),  /^  <  15,  .v  =  1 ,2. . . .  .6. 

Experiments  have  shown  that  four  each  pair  of  vectors  G  and  Q  such  that  GoQ^ 
QoG  the  condition  K  oQ  Qo  K,  where  K  =  GoQo  G“* ,  holds.  One  can  suppose 
that  the  condition  of  Theorem  1  is  excessive,  however  attempts  to  prove  formally  this 
theorem  without  condition  Go  Q  ^  QoG  were  not  successful.  Probably  there  exist 
non-commutative  groups  for  which  condition  GoQ  QoG  does  not  lead  to  condition 
KoQ  ^  QoK.  This  is  an  item  of  our  future  research.  As  regards  to  selection  of  the 
elements  G  and  Q  that  arc  to  be  used  in  the  public  key  agreement  protocol  based  on 
the  considered  hard  problem  one  can  check  that  for  the  selected  elements  G  and  Q  all 
conditions  of  Theorems  1  and  2  arc  satisfied. 

8  Finite  Matrices  Groups 

For  given  value  n  all  non-degenerate  n  x  n  matrices  defined  over  the  ground  field  GF{p) 
compose  a  finite  non-commutative  group  [8]  having  the  order 

i=0 

It  is  interesting  that  the  order  of  the  2  x  2-matrix  group  is  equal  to  the  order  of  the 
four-dimension  vector  groups  (in  the  case  T  0)  described  in  Section  4:  ^2x2  =  p{p  — 
—  1 ).  (For  the  four-dimension  vector  groups  defined  using  structural  coefficient 
X  =  0  the  order  is  equal  to  Q  =  p"(p  —  1 Y  prime  p  =  Ak  I  1  and  to  12  =  p^{p^  —  1 ) 
for  prime  p  =  Ak-\-  3.) 

In  the  cryptoschemes  based  on  the  proposed  hard  problem  there  arc  used  the  group 
elements  having  sufficiently  large  prime  orders  q  and  g  that  divide  the  group  order. 
In  the  case  of  prime  values  n  one  can  .select  the  value  p  such  that  the  value  ^max 


A  New  Hard  Problem  over  Non-eommutative  Finite  Groups 


193 


=  (//'  ’)/?  ^{/^  —  1)  *  is  prime  and  it  is  easy  to  generate  matrices  having  the  order 
^max-  Taking  this  fact  into  account  together  with  the  fact  that  the  matrix  multiplica¬ 
tion  can  be  performed  with  arithmetic  multiplications,  about  additions,  and  /r 
arithmetic  divisions  it  is  easy  to  come  to  conclusion  that  for  practical  applications  the 
finite  groups  of  matrices  corresponding  to  the  values  n  =  2. 3,5,  and  7  are  of  the  most 
practical  interest. 

In  case  of  the  3x3  matrices  one  can  select  such  42-bit  prime  p  that  the  largest  prime 
divi.sor  of  the  group  order  0^x3  is  equal  to  80-bit  prime  q  =  (/?"  +  p  +  1 )  /3  providing 
the  80-bit  security  of  the  proposed  eryptoschemes  with  378-bit  public  key.  In  the  case 
of  using  the  four-dimension  vector  groups  or  the  2x2  matrix  group  we  get  the  same 
security  with  324-bit  public  key. 

For  abitrary  prime  n  one  can  find  such  primes  p  (for  eases  of  different  .size  of  the 
value  p)  that  value 

pH  1  _|_  2  ^  i  p  \ 

- 

n 

is  also  prime.  Since  .such  value  q  divides  ilnxn  one  ean  use  the  values  p  having  smaller 
size  and  get  faster  cryptoschems  for  the  cases  n  =  5  and  n  =  7,  however  in  the  la.st  two 
cases  we  get  sufficiently  large  public  keys  (about  550  and  735  bits,  re.speetively).  A 
rough  comparison  of  the  time  required  for  computing  the  common  secret  key  using  the 
Diffie-Hellman  protocol  based  on  different  hard  problems  (see  Table  2)  shows  that  for 
the  same  security  level  the  propo.sed  hard  problem  provides  faster  key  generation. 


Table  2,  Rough  c.stimation  of  the  time  required  for  generating  the  common  secret  key  with  ihe 
Diffie-Hellman  protocol  implemented  using  different  hard  problems  (in  all  cases  the  selected 
parameters  provide  the  8()-bit  security  of  the  protcKol) 


Hard  problem 

Finite  group 

Size  of  prime /7,  bits 

Time,  arb.  un. 

Di.sertc  logarithm 

Elliptic  curve  over  GF{p) 

160 

22(K) 

Diserte  logarithm 

F* 

1024 

10000 

Proposed 

4-dimen.sion  vectors  over  GF{p) 

81 

350 

Proposed 

2x2  matrices  over  GF{p) 

81 

350 

Proposed 

3  X  3  matrices  over  GF{p) 

42 

200 

Proposed 

5x6  matrices  over  GF(p) 

22 

150 

Proposed 

7x7  matrices  over  GF{p) 

15 

150 

9  Conclusion 

Results  of  this  paper  shows  that  finite  non-commiitative  groups  represent  interest  for 
designing  fast  public  key  agreement  schemes,  public  encryption  algorithms,  and  com¬ 
mutative  encryption  algorithms.  Such  cryptosehemes  are  fast  and  the  hard  problem  they 
are  based  on  is  expected  to  have  exponential  difficulty  using  both  the  ordinary  comput¬ 
ers  and  the  quantum  ones. 

Theorems  1  and  2  are  useful  for  justification  of  the  selection  elements  Q  and  G  while 
defining  parameters  of  the  eryptoschemes.  The  proposed  non-commutative  finite  group 
of  the  four-dimension  vectors  seems  to  be  appropriate  for  practical  implementation  of 


194  D.N.  Moldovyan  and  N.A.  Moldovyan 


the  proposed  schemes.  We  have  proved  the  formulas  for  computing  the  order  of  such 
groups  in  majority  of  cases.  Unfortunately  for  a  quarter  of  cases  the  formal  proof  have 
not  been  found  and  this  item  remains  open  for  future  consideration.  However  the  proved 
cases  coves  the  practical  demands  while  implementing  the  proposed  cryptoscheme  with 
use  of  the  composed  non-commutative  groups. 

Implementation  of  the  proposed  cryptoschemes  using  the  finite  groups  of  matrices 
having  size  3x3,  5x5,  and  7x7  yields  faster  key  generation,  however  in  this  case  the 
.size  of  public  key  is  .sufficiently  large  (from  378  to  735  bits).  For  designing  fast  cryp¬ 
toschemes  with  sufficiently  small  public  keys  (320-330  bits)  the  finite  non-commutative 
groups  of  the  m-dimension  vectors,  where  m  =  8, 16,20,28,  and  32,  are  very  attractive. 
Construction  and  investigation  of  such  finite  groups  of  vectors  represents  a  topic  of 
independent  research. 


References 

1.  International  Standard  ISO/I  EC  14888-3:2006(E).  Information  technology  -  Security  tech¬ 
niques  -  Digital  Signatures  with  appendix  -  Part  3:  Discrete  logarithm  based  mechanisms 

2.  Shor,  P.W.:  Polynomial-time  algorithms  for  prime  factorization  and  discrete  logarithms  on 
quantum  computer.  SIAM  Journal  of  Computing  26,  1484-1509  (1997) 

3.  Anshel,  I.,  Anshel,  M.,  Goldfeld,  D.:  An  Algebraic  Method  for  Public  Key  Cryptography. 
Mathematical  Research  Letters  6,  287-29 1  ( 1 999) 

4.  Ko,  K.H..  Lee,  S.J.,  Cheon,  J.H.,  Han,  J.W.,  Kang,  J.S.,  Park,  C.:  New  Public-Key  Cryp¬ 
tosystems  Using  Braid  Groups.  In:  Bcllare,  M.  (ed.)  CRYPTO  2(XK).  LNCS,  vol.  1880,  pp. 
166-183.  Springer,  Heidelberg  (2000) 

5.  Lee,  E.,  Park,  J.H.:  Cryptanalysis  of  the  Public  Key  Encryption  Ba.sed  on  Braid  Groups.  In: 
Biham,  E.  (ed.)  EUROCRYPT  2003.  LNCS,  vol.  2656,  pp.  477^89.  Springer,  Heidelberg 
(2003) 

6.  Veima,  G.K.:  A  Proxy  Blind  Signature  Scheme  over  Braid  Groups.  International  Journal  of 
Network  Security  9,  214-217  (2009) 

7.  Myasnikov,  A.,  Shpilrain,  V.,  Ushakov,  A.:  A  Practical  Attack  on  a  Braid  Group  Based 
Cryptographic  Protocol.  In:  Shoup,  V.  (ed.)  CRYPTO  2005.  LNCS,  vol.  3621,  pp.  86-96. 
Springer,  Heidelberg  (2005) 

8.  Kargapolov,  M.I.,  Mcrzlyakov,  Y.  I.:  Group  Theory  Foundations.  Fizmatlit,  Moscow  (1996) 
(in  Russian) 

9.  Diffie,  W.,  Heilman,  M.E.:  New  Directions  in  Cryptography.  IEEE  Transactions  on  Informa¬ 
tion  Theory  lT-22,  644-654  ( 1 976) 

10.  Moldovyan,  N.A.,  Moldovyanu,  P.A.:  New  Primitives  for  Digital  Signature  Algorithms:  Vec¬ 
tor  Finite  Fields.  Quasigroups  and  Related  Systems  17,  271-282  (2009) 


Credential  Chain  Discovery  in  RT^  Trust 
Management  Language 


Krzysztof  Sacha 

Warsaw  University  of  Technology,  Nowowiejska  15/19,  (K)-665  Warszawa,  Poland 
k . sacha@ia . pw . edu . pi 


Abstract.  The  goal  of  this  paper  is  to  explore  the  potential  of  Role  based  Trust 
managemcni  language  RTT  as  a  means  for  specifying  security  policies  and  us¬ 
ing  credeniials  lo  ensure  ihat  confidential  resources  are  not  being  grained  lo  un¬ 
authorized  users.  The  paper  de.scribes  formally  the  syntax  and  semantics  of  the 
language  and  defines  RTT  credential  graphs  and  credeniial  chains  as  a  means 
for  answering  security  queries.  Backward  and  forward  search  algtirithms  to 
build  a  credential  chain  are  given. 

Keywords:  Software  security,  trust  management,  role-based  trust  management 
language,  credential  graph,  credential  chain. 


1  Introduction  and  Related  Work 

Software  systems,  which  are  used  in  commercial,  governmental  and  industrial  sectors, 
store  data  and  offer  services  that  can  be  used  safely  by  only  a  limited  .set  of  authorized 
users.  Unauthorized  access  to  data  and  other  resources  of  such  a  system  may  have 
disastrous  re.sults.  Therefore,  construction  of  the  mechanisms  for  controlling  access  to 
resident  information  and  other  re.sources  of  computer  systems  is  one  of  the  most  im¬ 
portant  problems  that  must  be  solved  by  the  information  technology. 

The  traditional  approach  to  access  control  relics  on  knowing  the  identity  of  all  the 
entities  that  can  make  requests,  and  making  decisions  on  allowing  or  denying  access 
to  system  resources  ba.scd  on  a  verification  of  the  identity  of  the  requester.  When  the 
system  grows  and  the  number  of  entities  becomes  very  big,  they  are  divided  into 
roles,  i.e.  overlapping  groups  of  entities,  which  have  the  same  rights  and  privileges 
with  respect  to  the  system  resources  [15,8].  This  simplifies  administration,  however, 
the  system  must  still  know  the  members  of  each  role  and  the  access  control  is  still 
based  on  a  verification  of  identity.  One  possible  mechanism  of  such  a  verification  is  a 
login  window.  Another  example  can  be  the  use  of  a  public  key. 

A  much  bigger  problem  arises  is  distributed  open  .systems,  in  which  the  identity  of 
users  is  not  known  in  advance  and  can  change  in  time  outside  the  control  of  an  access 
mediator.  If  this  is  the  case,  a  new  approach  to  access  control  is  needed.  For  example, 
consider  a  scientific  conference,  which  offers  a  reduction  of  the  conference  fee  for 
members  of  the  sponsor  organizations.  When  1  come  to  the  registration  desk  and  say 
that  I  am  Chris  Sacha,  then  my  identity  itself  will  not  help  in  deciding  whether  1  am 
eligible  for  a  reduced  fee  or  not.  What  can  help,  are  two  credentials  stating  that  1  am 


t.  Kotenko  and  V.  Skormin  (Eds.):  MMM-ACNS  2010,  LNCS  6258,  pp.  195-208,  2010. 
©  Springcr-Verlag  Berlin  Heidelberg  2010 


196 


K.  Sacha 


employed  at  an  organization,  and  that  the  organization  is  a  conference  sponsor.  Cre¬ 
dentials  can  be  implemented  in  a  software  sy.stem  as  digitally  signed  documents. 

This  paper  deals  with  Role-based  Trust  management  (RT)  languages  for  describ¬ 
ing  security  policies,  roles  and  credentials  in  decentralized  and  open  environments 
[1-6].  Credentials  are  statements  in  a  RT  language,  describing  entities  (role  issuers 
and  requesters)  and  roles,  which  the  entities  can  play  in  the  system.  The  key  concept 
of  the  trust  management  approach  is  delegation:  An  entity  may  transfer  limited  au¬ 
thority  over  a  resource  to  other  entities.  Such  a  delegation  can  be  implemented  by 
means  of  an  appropriate  credential.  This  way,  a  set  of  credentials  defines  the  security 
policy  and  allows  of  deciding  on  who  is  authorized  to  access  a  resource,  and  who 
is  not. 

The  first  tru.st  management  systems  were  PolicyMaker  [1,2],  KeyNote  [3]  and 
SPKI/SDSI  [5].  All  those  systems  used  languages  that  allowed  assigning  privileges 
to  entities  and  used  credentials  to  delegate  permissions  from  its  issuer  to  its  subject. 
A  missing  feature  was  the  possibility  of  delegation  based  on  attributes  of  the 
entities. 

Role-based  Trust  management  languages  use  roles  to  represent  attributes  [11]:  A 
role  is  a  set  of  entities  who  have  the  attribute  represented  by  the  role.  There  are  sev¬ 
eral  RT  languages,  with  varying  expressive  power  and  complexity.  The  basic  lan¬ 
guage  RTo  [13]  allows  describing  roles,  role  hierarchies,  delegation  of  authority  over 
roles  and  role  intersections.  RT^  provides  manifold  roles  to  express  threshold  and 
separation  of  duties  policies.  A  manifold  role  is  a  role  that  can  be  .satisfied  by  a  set  of 
cooperating  entities.  A  threshold  policy  requires  a  specified  minimum  number  of 
entities  to  agree  before  access  is  granted.  Separation  of  duties  policy  requires  a  set  of 
entitie.s,  each  of  which  fulfils  a  specific  role,  to  agree  before  access  is  granted.  Both 
types  of  policies  mean  that  some  roles  cannot  be  fulfilled  by  a  single  entity  and  a  set 
of  entities  must  cooperate  in  order  to  satisfy  these  roles. 

RT  languages  have  well  defined  syntax  [11,12]  and  intuitive  meaning.  A  set- 
theoretic  semantics  has  been  defined  for  RTq  in  [13,9]  and  for  RT^  in  [7]. 

The  rest  of  this  paper  is  organized  as  follows.  BNF  syntax  and  an  improved  and 
simplified  definition  of  the  .semantics  of  RT^  are  described  in  Section  2.  A  credential 
graph  and  a  credential  chain,  which  allow  answering  the  access  control  queries  in 
RT\  are  pre.sented  in  Section  3.  Final  remarks  and  plans  for  further  research  are 
described  in  Conclusions. 

2  The  Language  RT^ 

There  are  three  basic  elements  in  all  the  RT  languages:  Entities,  role  names  and  roles. 
Entities  are  actors  within  an  access  control  system,  which  can  participate  in  issuing 
permissions  and  making  requests  to  access  resources.  An  entity  can,  e.g.,  be  a  person 
or  a  program  identified  by  a  user  account  or  a  public  key  in  a  computer  system.  Role 
names  represent  permissions  that  can  be  granted  to  sets  of  entities  (may  be  singleton 
.sets)  to  manipulate  resources.  Roles  represent  sets  of  entities  that  have  particular  per¬ 
missions  granted  according  to  the  access  control  policy.  The  statements  in  RT^  are 
credentials,  which  are  used  for  describing  access  control  policies,  assigning  entities  to 
roles  and  delegating  authority  to  the  members  of  other  roles. 


Credential  Chain  Discovery  in  RT^  Trust  Management  Language 


197 


2.1  The  Syntax 


In  this  paper,  we  use  nouns  beginning  with  a  capital  letter  or  just  capital  letters,  e.g.  /t, 
B,  C,  to  denote  sets  of  entities.  Role  names  are  denoted  as  identifiers  beginning  with  a 
small  letter  or  just  small  letters,  e.g.  r,  5,  /.  Roles  take  the  form  of  a  set  of  entities  (the 
issuer  of  this  role)  followed  by  a  role  name  separated  by  a  dot,  e.g.  A.r.  A  credential 
consists  of  a  role,  left  arrow  symbol  and  a  valid  role  expression,  e.g.  A.r  ^  e, 

BNF  specification  of  the  RT^  syntax  can  be  written  as  follows. 

<credential>  ::=  <role>  <r-  <role-expre.ssion> 

<role>  ::=  <entity-sci>  .  <role-name> 

<role-expression>  ::=  <entity-set> 

I  <rolc> 

I  <role>  .  <role-name> 

I  <role>  n  <rolc 
1  <rolc>  0  <rolc> 

I  <role>  0  <role> 

There  are  six  types  of  role  expressions  and  six  types  of  credentials  in  RT\  which  are 
interpreted  in  the  following  way: 


A.r<r-B 

A.r^B.s 


A.r  ^  B.s.t 


-  simple  membership:  a  set  of  entities  B  can  satisfy  role  A.r. 

-  simple  inclusion:  role  A.r  includes  all  members  of  role  ^..v.  This  is 
a  delegation  of  authority  over  r  from  A  to  B,  as  B  may  cause  new 
sets  of  entities  to  become  members  of  the  role  A.r  by  issuing  cre¬ 
dentials  that  define  B.s. 

-  linking  inclusion:  role  A.r  includes  role  C.t  for  each  C.  which  is  a 
member  of  role  B.s.  This  is  a  delegation  of  authority  over  r  from  A 
to  all  the  members  of  the  role  B.s. 


A.r  <—  B.s  n  C.t  -  intersection  inclusion:  role  A.r  includes  all  the  sets  of  entities  who 
arc  members  of  both  roles  B.s  and  C.t.  This  is  a  partial  delegation 
from  Aio  B  and  C. 


A.r  <r-  B.s  0  C.t  -  role  A.r  can  be  satisfied  by  a  union  set  of  one  member  of  role  B.s 
and  one  member  of  role  C.t.  This  allows  expressing  separation  of 
duties  policies. 

A.r  B.s  C.t  -  role  A.r  can  be  satisfied  by  a  union  set  of  one  member  of  role  B.s 
and  one  member  of  role  C./,  where  both  members  are  disjoint  sets 
of  entities.  This  allows  expressing  threshold  policies. 


2.2  The  Semantics 

The  syntax  of  a  language  describes  the  rules  for  constructing  language  expressions, 
such  as  credentials  in  RT^.  The  semantics  of  a  language  describes  the  meaning  of 
expressions  in  the  application  domain.  A  definition  of  semantics  consists  of  two  parts 
[10]:  A  semantic  domain,  which  gives  meaning  to  the  language  expressions,  and  a 
semantic  mapping  from  the  syntax  to  the  semantic  domain. 


198 


K.  Sacha 


The  semantics  of  RT^  defines  the  meaning  of  a  set  of  credentials  as  a  relation  over 
a  set  of  roles  and  the  power  set  of  entities.  Thus,  we  use  a  Cartesian  product  of  the  set 
of  roles  and  the  power  .set  of  entities  as  the  semantic  domain  of  RT^.  The  semantic 
mapping  assigns  a  relation  between  roles  and  sets  of  entities  to  a  set  of  credentials. 

Let  £  be  a  set  of  entities  and  /?  be  a  set  of  role  names.  £  is  a  set  of  RT^  credentials. 
The  semantic  domain  of  RT^  is  a  Cartesian  product  of  .sets: 

l^xRx  2^ 

An  instance  of  this  product,  e.g.  ( A,  r,  B )  consists  of  a  set  A  of  entities  that  issue  a 
role,  the  role  name  r  and  a  set  B  of  entities  that  fulfill  the  role  A.r.  If  the  cardinality  of 
set  £  in  ( A,  r,  £  )  is  greater  than  one,  then  the  role  A.r  is  a  manifold  role. 

The  semantics  of  P,  denoted  by  5p,  is  a  relation: 

Sp^l'^xRx  2^ 

Let  A,  B,  C,  X,  Kbe  arbitrary  sets  of  entities  (may  be  singletons)  and  r,  s,  t  arbitrary 
role  names.  The  semantics  of  RT^  can  formally  be  defined  in  the  following  way. 

Definition  1  (Semantics  of  RT^).  The  semantics  of  a  set  P  of  RT^  credentials  is 
the  smallest  relation  SpQl^xRxl^,  which  is  closed  with  respect  to  the  following 


properties: 

•  ( A,  r,  X  )  €  5'p  for  each  A.rf-Xe  £  (1) 

•  If  A.r  B.s  €  P  and  ( B,  X)e  Sp,  then  ( A,  r,  X  )  e  Sp  (2) 

•  If  A.r  <—£..?./ €  P  and  (£,  5,  C)g  and  (C, /,  X  )g  then  (A,  r,  X  )g  5p  (3) 

•  IfA.r^B.s n  C./ G  P  and  ( £,  .V,  X  )  e  Sp.  (  C,  /,  X  )  g  Sp.  then  ( A,  r,  X  )  g  5p  (4) 


•  If  A.r  < —  B.s  ©  C.  /  G  P  and  ( B.  s.  X  ^  ^  Sp.  (  C.  t.  T )  g  Sp.  then  (A.r,  X^Y )  g  Sp  (5) 

•  If  A.r<— P..v(8)C./g  P  and  (  P,  .V,  X  )g  ^p,  (  C, /,  T)g  5pand  A'n  T=^,  .. 

then  ( A,  r,  XkjY  )  e  Sp 


Definition  1  is  recursive  in  that  it  defines  new  elements  of  Sp  in  relation  to  another 
elements  of  Sp.  Resolving  the  recursion,  we  can  construct  Sp  in  a  sequence  of  rn  steps, 
m  >  1 ,  which  results  in  a  sequence  of  ni  sets  Sq...  . . .  S^.  such  that: 

1.  =  ^ 

2.  for  A:  >  1,  contains  5^-1  and  a  triple  (A.r.X)  that  has  been  derived  from 
by  an  application  of  one  of  the  properties  (1)  through  (6)  in  Definition  1. 

3.  If  =  Snr.  then  =  Sp 

Please  note  that  S^c^p  for  each  k>0.  The  algorithm  is  finite,  i.e.  the  number  of  .steps 
m  is  finite,  becau.se  the  power  set  of  entities  2^  and  the  .set  of  role  names  R  are  finite. 

2.3  An  Example 

A  company  C  has  departments  D1  and  D2.  There  are  company  managers  and  there 
are  accountants  employed  at  each  department.  Such  a  structure  of  the  company  and 
the  roles  of  employees  can  be  described  using  simple  membership  credentials: 


Credential  Chain  Discovery  in  RT‘  Trust  Management  Language  199 

{C}.clepanfnent  {D1 }  (7) 

{ C}. department  {D2}  (8) 

{C}. manager  {Adam}  (9) 

{C]jnanager  {Bob}  (10) 

{ D 1 }. accountant  <r-  {Adam }  (11) 

{D\  }. accountant  {Alice}  (12) 

{ D2}. accountant  <r-  {Betty'}  (13) 


The  accountants  at  the  departments  have  the  rights  of  company  accountants.  This  is  a 
delegation  of  role  company  accountant,  issued  by  the  company,  to  the  members  of 
role  department  accountant.  This  can  be  de.scribed  using  simple  inclusion  credentials: 

{ C } .  a  c  count  ant  ^  { D I  }  .accoun  tant  (14) 

{ C}. accoun  tant  ^  { D2 }  .accountant  (15) 

or  a  single  linking  iticlusion  credential: 

{C}. accountant  c—  {C}. department. accountant  ( 1 6) 

A  bank,  which  supports  the  company,  requires  that  a  company  accountant  approves  a 
small  transaction.  A  single  person,  who  has  the  rights  of  a  company  accountant  as 
well  as  of  a  manager,  can  approve  a  medium  scale  transaction.  Such  a  policy  of  the 
bank  can  be  described  using  simple  inclusion  and  intersection  inclusion  credentials: 

{ Bank }.approveSmall  <—  { C} .accountant  (17) 

{ Bank }.approveMedium  c—  { C }. accountant  n  { C }jnanctger  (18) 

Two  accountants  and  a  manager  can  jointly  approve  a  big  transaction.  A  manager 
who  has  the  rights  of  an  accountant  can  serve  both  roles  at  the  transaction.  Such  a 
policy  can  be  de.scribed  using  credentials: 

{C}.  two  Accountants  { C}.account(tnt  0  { C}. accountant  (19) 

{ Bank } .approveBig  ^  { C } .  twoAccountants  0  { C } . matiager  ( 20) 

The  semantics  of  the  above  set  of  credentials  can  be  constructed  in  several  steps, 
according  to  recursive  Definition  1.  The  construction  is  shown  in  Table  1. 

Table  1.  Con.struction  of  the  semaniics  of  RT^  credentials 


Step 

Semantics 

^  ( 1 C  ) ,  department^  | D 1  ) ).  (|  C  ) ,  department,  { D2  D,  ( { C  ) .  manager,  { Adam ) ), 

( { 0 1 ) ,  accountant,  { Adam ) ),  ( ( D 1 ) .  accountant,  {Alice ) ),  ( { D2 ) .  accountant,  | Betty ) ), 

2 

(|C  ),  accountant,  {Adam}),  (|C  ),  accountant,  {Alice}),  ((C),  accountant,  {Betty}), 

3 

( 1  Bank } ,  approveSmall,  [Adam ) ),  ( |  Bank ) ,  approveSmall,  [Alice ) ), 

( 1  Bank ) ,  approveSmall,  { Betty ) ). 

4 

( { Bank ) ,  approvcMedium,  {Adam ) ), 

5 

({C  1,  twoAccountants,  {Adam,  Alice}),  (|C  ),  twoAccountants,  {Adam,  Betty}), 

(|C  ),  twoAccountants,  {Alice,  Betty}). 

6 

( 1  Bank ) ,  approveBig,  {Adam,  Alice ) ),  ( |  Bank ) ,  approveBig,  { Adam,  Betty ) ), 

( 1  Bank},  approveBig,  {Alice,  Betty,  Adam ) ) 

200 


K.  Sacha 


3  Credential  Chain 

The  rights  to  access  resources  are  granted  to  roles,  such  as  /A.r  or  B.s,  which  members 
are  groups  of  entities  (manifold  roles).  When  a  group  X  of  entities  submits  a  request 
to  access  a  resource,  then  the  access  mediator  needs  to  decide  whether  X  is  a  member 
of  the  role,  say  A.r,  which  was  granted  access  to  this  resource.  One  way  to  make  such 
a  decision  could  be  to  compute  the  semantics  of  the  entire  set  of  credentials  that  de¬ 
fine  the  security  policy  and  to  check  whether  X  belongs  to  role  A.r  or  not.  Unfortu¬ 
nately,  such  an  approach  could  be  inefficient  if  the  set  of  credentials  was  very  large.  A 
much  better  approach  is  to  take  into  account  not  all  the  existing  credentials,  but  only 
those  that  are  necessary  to  decide  on  membership  of  X  (the  requester)  in  A.r  (the  role 
authorized  to  access  the  resource). 

3.1  Credential  Graph 

A  credential  graph,  introduced  for  RTo  in  [13],  is  a  graphical  representation  of  the 
semantics  of  a  set  P  of  credentials.  The  nodes  of  the  graph  are  role  expressions,  which 
appear  within  the  credentials,  and  the  directed  edges  reflect  inclusion  of  sets  that  are 
the  meaning  of  those  expressions.  Making  a  decision  on  the  membership  of  an  entity 
B  in  the  role  A.r  is  equivalent  to  checking  whether  a  path  from  B  to  A.r  exists  in  the 
graph  or  not.  RTo  credential  graph  is  static  in  that  the  set  E  of  entities  that  can  issue 
roles,  delegate  permissions  to  other  entities  and  make  requests  to  access  resources  is 
constant.  No  new  entity  can  be  created  by  any  credential  of  set  P. 

RT^  credential  graph,  introduced  in  Definition  2  below,  is  dynamic.  Role  issuers  as 
well  as  requesters  are  groups  of  entities,  and  credentials  of  type  A.r  <—  B.s  0  C.t  and 
A.r  <r-  B.s  (E)  C.t  can  create  new  groups  of  entities  that  can  issue  roles,  delegate  per¬ 
missions  to  other  groups  of  entities  or  make  requests  to  access  resources.  Such  a  dy¬ 
namic  nature  makes  the  construction  of  RT^  credential  graph  much  more  difficult. 

Let  P  be  a  set  of  RT^  credentials  over  a  set  E  of  entities  and  a  set  R  of  role  names. 

Definition  2  (RT^  Credential  Graph).  RT^  credential  graph  is  an  ordered  pair 
Gf>=  (  Np,  Ep)  comprising  a  set  Np  of  nodes,  which  are  role  expressions  that  appear 
in  credentials  from  P  and  subsets  of  entities  from  E,  and  a  set  Ep  of  directed  edges, 
which  are  ordered  pairs  of  nodes  from  Np.  The  sets  Np  and  Ep  are  the  smallest  sets 
that  are  clo.sed  with  respect  to  the  following  properties: 

1.  If  a  credential  A.r  <—  e,  where  is  a  role  expression,  belongs  to  P,  then  the  nodes 
A.r  and  e  belong  to  Np  and  a  credential  edge  (  e,  A.r  )  belongs  to  Ep. 

2.  If  role  expressions  B.s.t  and  C.t  belong  to  Np  and  there  exists  a  path  from  C  to  B.s 
in  Gp,  then  a  derived  edge  (  C/,  B..s\t )  belongs  to  Ep.  The  path  from  C  to  B.s  cre¬ 
ates  a  support  set  for  this  edge. 

3.  If  role  expressions  B.s  n  C./  and  X  belong  to  Np  and  there  exist  paths  from  X  to  B.s 
and  from  X  to  C.t  in  Gp,  then  a  derived  edge  { X.  B.s  C.t )  belongs  to  Ep.  The 
paths  from  X  to  B.s  and  from  X  \o  C.t  create  a  support  set  for  this  edge. 

4.  If  role  expressions  B.s  0  C.t,  B.s,  C.t,  X,  K  belong  to  Np  and  there  exit  paths  from  X 
to  B.s  and  from  Y  to  C.t  in  Gp,  then  a  derived  node  XuY  belongs  to  Np  and  a 


Credential  Chain  Discovery  in  RT^  Trust  Management  Language 


201 


derived  edge  (XuY,  B.s  0  C.t)  belongs  to  Ep.  The  paths  from  X  to  B.s  and  from  Y 
to  C.t  create  a  support  set  for  both  derived  elements. 

5.  If  role  expressions  B.s  0  C/,  B.s,  C.t,  X,  K  belong  to  Np  and  there  exit  paths  from  X 
to  B.s  and  from  Y  to  C.t  in  Gp,  and  Xny=0,  then  a  derived  node  XuY  belongs  to  Np 
and  a  derived  edge  {XuY,  B.s  0  C.t)  belongs  to  Ep.  The  paths  from  X  to  B.s  and 
from  Y  to  C.t  create  a  support  set  for  both  derived  elements. 

Definition  2  is  recursive  in  that  it  defines  new  elements  of  Gp  in  relation  to  another 
elements  of  Gp.  Re.solving  the  recursion,  we  can  construct  Gp  in  a  sequence  of  m 
steps,  ///  >  1,  which  result  in  a  sequence  of  nt  subgraphs  Gi  ...  G*...  G,„,  such  that: 

1.  G]  is  composed  of  credential  nodes  and  credential  edges,  created  by  an  application 
of  property  1  in  Definition  2  to  all  the  credentials  in  P. 

2.  Gk  is  composed  of  Gjt^i  and  a  derived  edge  and  (possibly)  a  derived  node  added  by 
an  application  of  one  of  the  properties  2  through  5  in  Definition  2  to  G  ^ 

3.  It  G,„+[  =  G„„  then  G„,  =  Gp. 

Please  note  that  Gj,  G  Gp  for  k  >  1 .  The  algorithm  is  finite,  i.e.  the  number  of  steps  in  is 
finite,  because  the  power  .set  of  entities  2^  and  the  set  of  role  names  R  are  finite. 

3.2  Soundness  and  Completeness 

Denote  the  power  set  of  entities  by  F  =  2^.  Each  element  in  F  is  a  set  of  entities  from 
F.  Each  clement  in  2^  is  a  set,  composed  of  sets  of  entities  from  E.  The  .semantics  of  P 
can  now  be  described  as  a  function: 

Sp  :  2'^  xK-^  2'' 

that  maps  each  role  from  2^  x  R  to  a  set  of  all  such  sets  of  entities,  which  are  members 
of  this  role.  Knowing  the  relation  Sp,  one  can  define  the  function  Sp  as  follows: 

( /4.r  )  =  {  X  €  2^'.  i  A,  r,  X  )  E  ,5/.  } 

Let  EXp  be  the  set  of  role  expressions  that  appear  within  the  credentials  of  set  P.  The 
function  Sp  can  be  extended  to  the  domain  of  role  expressions  EXp: 

Sp  :  EXp  2^ 

by  adding  the  following  six  definitions,  related  to  six  types  of  RT^  credentials  (X  c  E 


is  a  set  of  entities,  may  he  a  singleton): 

=  {  X)  (21) 

Sp(A.r)  =  {  Xe  2^-:  {  A.  r.  X  )  e  Sp  )  (22) 

Sp  (  B.sJ  )  =  U(':  I  fl.i.r  )6  5,  (  X  6  2^':  (  C,  /,  X  )  e  Sp  ]  (23) 

Sp(  B.s  n  Cr )  =  {  X  €  2";  {  B.  .s.  X )  e  Sp  x  {  C.  t.  X  )  e  Sp  ]  (24) 

Sp(  B.s  ®C.t)  =  {  XuKe  2^':  {  B,  s.  X  )  e  Sp  a  {  C.  t,  Y  )  e  Sp  ]  (25) 


Sp  (  B.s  ®C.t)  =  (  XuKe  2'":  (  S,  ,v,  X  )  e  5^  a  (  C,  f,  K )  6  a  X  n  )  (26) 


202 


K.  Sacha 


To  prove  the  soundness  of  the  credential  graph,  we  must  prove  that  if  a  path  from  X  to 

A. r  exists  in  G/>,  then  {  A,  r,  X  )  g  Sp.  This  is  equivalent  to  showing  that  Sp{X  )  Q 
Sp(A.r).  To  show  this  inclusion  it  is  sufficient  to  prove  that  Sp(  /q  )cS'/»(  /12 )  for 
each  edge  ( /i|,  ^2 )  of  Op.  This  is  proved  in  Theorem  1. 

Theorem  1.  For  each  /q,  nis  Np,  if  ( ni,  /22 )  e  Ep  then  Sp(  fi]  )^Sp(  /12  )■ 

Proof.  IvCt  (/ii,  /I2)g  Ep  be  an  arbitrary  edge  in  Gp.  The  proof  is  by  induction  with 
respect  to  the  number  k  of  steps,  which  are  needed  to  add  (/ii,  /12)  to  the  constructed 
credential  graph. 

If  A:  =  1,  then  credential  n\  must  belong  to  P.  This  credential  can  be  one  of  the 
six  types  allowed  in  RT^.  Each  of  the.se  types  will  be  considered  separately. 

I  A.r  <r-  X  \  {  A,  r,  X)  G  Sp  due  io(\).Sp{X)Q,Sp(A.r)  according  to  (22)  above. 

[  A.r  <—  B..S  ]  Consider  an  arbitrary  Xg  Sp  (B.s).  This  implies  (B,s,X)g  Sp  ac¬ 
cording  to  (22),  and  (A,r,X)G  Sp  according  to  (2).  Hence,  X  g  Sp(A,r). 

I  A.r  B.s.t  I  Consider  an  arbitrary  X  g  Sp(  B.s.t ).  According  to  (23),  there  exists 
C  G  2^\  such  that  (  B,  s,  C)g  Sp  and  (  C,  /,  X )  g  Sp.  This  implies  ( A,  r,  X  )  g  Sp 
according  to  (3).  Hence,  X  g  Sp{A,r). 

[  A.r  <—  B.s  o  C.t]  Consider  an  arbitrary  Xg  Sp  (B.s  n  C.t  ).  This  implies 
(  B,.s,  X)  G  Sp  and  (  C,  t,  X )  g  Sp  according  to  (24),  and  (  A,  r,  X  )  g  Sp  according  to 
(4).  Hence,  X  g  Sp{  A,r ). 

[A.r<r-B.s^C.t\  Consider  an  arbitrary  Zg  Sp(B..s^  C.t  ).  According  to  (25), 
there  exist  X,  Y  g  2^  such  that  XuY=Z  and  (  B,  s,X)  g  Sp  and  (  C.  /,  T )  g  Sp.  Hence, 
(  A,  r,  Z )  G  Sp  according  to  (5),  which  implies  that  Zg  Sp(  A,r  ). 

I  A.r  B.s  ^  C.t]  Consider  an  arbitrary  Zg  Sp{B.s®  C.t  ).  According  to  (26), 
there  exist  X,  Y g  2^  such  that  Xuy=Z  and  {  B,  s,X  )g  Sp  and  (  C,  t.  Y)  g  Sp  and 
XnY=^.  Hence,  (  A,  r,  Z  )  g  Sp  according  to  (6),  which  implies  that  Zg  Sp(  A,r  ). 

If  A:  >  1,  assume  as  the  inductive  hypothesis  that  the  thesis  is  true  for  the  number  of 
steps  not  greater  than  ^-1.  We  will  show  that  it  is  true  also  for  the  number  of  steps  k. 
In  step  k  one  of  the  properties  2  through  5  in  Definition  2  has  been  applied  to  add 
( /ii,  til)  to  the  constructed  graph.  Each  of  these  cases  will  be  considered  separately. 

Property  2.  Consider  a  derived  edge  ( /ii,  /22 )  stich  that  ni  =  C.t  and  n2  =  B.s.t.  The 
existence  of  the  derived  edge  (  C.t,  B.s.t )  in  G^t  implies  that  a  path  from  C  to  B.s  ex¬ 
ists  in  Then  Sp(C )  Q,Spi  B.s )  according  to  the  inductive  hypothesis,  and 
{  B,  SyC)  G  Sp.  Consider  an  arbitrary  Xg  Sp{  C.t  ).  This  implies  (  C,  /,  X  )  g  Sp  ac¬ 
cording  to  (22),  and  Xg  Sp{  B.s.t  )  according  to  (23). 

Property  3.  Consider  a  derived  edge  (  /ij,  /12 )  such  that  =X  and  ni  =  B.s  n  C.t. 
The  existence  of  the  derived  edge  (  X,  B.sr^C.t )  in  implies  that  paths  from  X  to 

B. s  and  from  X  to  C.t  exist  in  Then  Sp{  X)  q  Sp{  B.s  )  and  Sp(  X  )  Q,Sp{  C.t) 
according  to  the  inductive  hypothesis.  Hence,  ( B,s,X)  g  Sp  and  (C, /,X)g  Sp.  This 
implies  Xg  Sp  (B.s  r\  C.t)  according  to  (24). 

Property  4.  Consider  a  derived  edge  (  /ij,  /I2  )>  where  txy  =  XuK  and  txi  =  B.s  ®  C.t. 
The  existence  of  the  derived  edge  (  XuT,  B.s  0  C.r )  in  G;t  implies  that  paths  from  X 
to  B.s  and  from  Y  to  C.t  exist  in  G|_i.  Then  Sp(X)^Sp(  B.s)  and  Sp(Y)  (Z,Sp(C.t) 
according  to  the  inductive  hypothesis.  Hence,  (B,s,X)g  Sp  and  (C,t,Y)G  Sp,  which 
implies  XuT g  Sp(B.s  ®  C.t)  according  to  (25). 


Credential  Chain  Discovery  in  RT^  Trust  Management  Language 


203 


Property'  5.  Consider  a  derived  edge  ( /ij,  /h  where  /?i  =  XuY  and  02  =  B.s  (8)  C./. 
The  existence  of  the  derived  edge  ( XuY.  B.s®  C.t )  in  implies  that  Xr\Y=(p  and 
paths  from  X  to  B.s  and  from  Y  to  C.t  exist  in  G|-j.  Then  Sp{X)QSp(B.s)  and 
(  C./ )  according  to  the  inductive  hypothesis.  Hence,  (B.s\X)€Sp 
and  {  C,  /,  T  )  €  Sp,  which  implies  XuY e  Sp  {  B..s  0  C  / )  according  to  (26). 

To  prove  the  completeness  of  the  credential  graph,  we  must  prove  that  for  each  ele¬ 
ment  {A.r.X  )€  Sp  the  role  expressions  A.r  and  X  are  among  the  nodes  of  Gp  and  a 
path  from  X  to /\,/*  exists  in  Gp.  This  is  proved  in  Theorem  2. 

Theorem  2.  If  ( ^4,  r,  X  )  e  Sp  then  A.r.  X  e  Np  and  a  path  from  X  to  A.r  exists  in  Gp. 

Proof.  The  proof  is  by  induction  with  respect  to  the  number  k  of  steps  to  construct  the 
element  {  A.  r.  X  )e  Sp.  Assume  {  A.  X  )  e  S^  for  a  certain  k>  \  . 

If  A:  =  1 ,  then  A.r  <—  A'  €  P.  because  S^  =  (p  and  no  property  other  than  ( 1 )  could  be 
applied.  A  path  from  X  to  A.r  exists  in  the  graph  according  to  point  1  in  Definition  2. 

If  it  >  1,  assume  for  the  inductive  step  that  the  thesis  is  true  up  to  k-\  steps.  We  will 
show  that  it  is  true  also  for  k  steps.  In  step  k  one  of  the  properties  (I)  through  (6)  has 
been  applied  to  construct  (  A,  r,  X  )e  5^  Each  of  these  cases  is  discussed  separately. 

[  A.r  <—  X  ]  If  this  is  the  case,  then  A.r  <—  X  G  /^  which  implies  that  (  X,  A.r  )  e  Ep. 

[  A.r  B.s  ]  If  A.r  <—  B.s  was  applied  in  step  k  to  construct  (  A,  r,  X)g  5^,  then 
{  B.  s.  X  )g  5a_|.  Hence,  there  exists  in  Gp  a  path  from  X  to  B.s.  according  to  the  in¬ 
ductive  hypothesis,  and  an  edge  from  B.s  to  A.r  according  to  point  1  in  Definition  2. 

[  A.r  B.s.t  1  If  A.r  <—  B.s.t  was  applied  in  step  k  to  construct  (  A,  r,  X)  g  Si,,  then 
{B.s.C)e  Sk-\  and  (  C,  /,  X )  g  5^,1.  Hence,  there  exist  in  Gp  paths  from  C  to  B.s 
and  from  X  to  C.t  according  to  the  inductive  hypothesis,  an  edge  (a  derived  edge) 
from  C.t  to  B.s.t  according  to  point  2  in  Definition  2,  and  an  edge  from  B.s.t  to  A.r 
according  to  point  1  in  Definition  2.  The  segments:  path  from  X  to  C.t.  the  derived 
edge  from  C.t  to  B.s.t  and  the  edge  from  to  A.r  comprise  a  path  from  X  to  A.r. 

[A.r<— ZA.i*  n  C.t]  If  A.r  B.s  n  C.t  was  applied  in  step  k  to  construct 
{  A,  r,  X)  G  Si,,  then  {  B,  s.  X)  s  5jt_i  and  (  C,  r,  X  )  g  Si,-].  Hence,  there  exists  in  Gp  a 
path  (a  derived  edge)  from  X  to  B.s  n  C.t  according  to  point  3  in  Definition  2,  and  an 
edge  from  B.s  n  C.t  to  A.r  according  to  point  I  in  Definition  2. 

[  A.r  /Ls  0  C/ ]  If  A.r  <— /?.,v  0  C./  was  applied  in  step  k  to  construct 
{  A,  r,  X)  G  S],.  then  there  exist  Z.Ye  2^'  such  that  ZuY  =  X  and  {  B.  s.  Z )  e  Si,-\  and 
(  C, /,  K )  G  Si,-].  Hence,  there  exists  in  Gp  a  path  (a  derived  edge)  from  ZuY  to 

B. s  0  C.t  according  to  point  4  in  Definition  2,  and  an  edge  from  B.s  0  C.t  to  A.r  ac¬ 
cording  to  point  1  in  Definition  2. 

I  A.r  B.s  ^  C.t]  If  A.r  i:— B.s  0  C.t  was  applied  in  step  k  to  construct 
(A,r,  X)g  Si,,  then  there  exist  Z.  Kg  2^'  such  that  ZuY  =X.  Zr\Y  =  (p  and 
(  B.  s.  Z  )  G  and  (  C,  /,  K )  g  Si^-i.  Hence,  there  exists  in  Gp  a  path  (a  derived  edge) 
from  ZuY  to  B.s  ®  C.t  according  to  point  5  in  Definition  2,  and  an  edge  from  B.s^Sf 

C. t  to  A.r  according  to  point  1  in  Definition  2. 

A  conclusion  from  Theorem  1  and  Theorem  2  is  such  that  the  credential  graph  of 
Definition  2  is  sound  and  complete  with  respect  to  the  semantics  of  RT^  credentials. 


204 


K.  Sacha 


3.3  Credential  Chain 

A  decision  on  whether  a  group  of  entities  X  is  a  member  of  role  A.r  can  be  made  by 
checking  whether  a  path  from  X  lo  A.r  exists  in  the  RT^  credential  graph  built  over  the 
set  of  known  credentials.  The  practical  problem  is,  however,  that  the  number  of  all  the 
credentials  can  be  very  big  and  not  all  of  them  can  be  available  at  the  moment.  A 
solution  to  this  problem,  suggested  in  [13]  for  RTo,  is  a  credential  chain,  which  is  the 
minimal  part  of  the  credential  graph  that  contains  a  path  from  X  to  A.r.  A  credential 
chain  from  X  to  A.r  is  sufficient  to  decide  on  the  membership  of  X  in  the  role  A.r.  If 
such  a  credential  chain  cannot  be  built,  the  membership  of  X  in  A.r  is  not  confirmed. 

A  definition  of  RTq  credential  chain  can  be  extended  into  RT\  The  chain  can  be 
built  starting  from  one  end  (A.r)  or  from  the  other  end  (X),  and  continue  the  process  as 
long  as  a  path  from  X  to  A.r  is  found.  The  resulting  subgraph  need  not  be  minimal. 
Therefore  we  omit  the  word  minimal  in  the  definition  of  the  credential  chain. 

Definition  3  (Credential  Chain).  A  credential  chain  from  X  to  A.r  is  a  subset  of  the 
credential  graph  containing  a  path  from  X  to  A.r  and  the  support  sets  for  each  derived 
edges  in  the  subset.  □ 

Let  P  be  a  set  of  RT^  credentials,  A.r  be  a  role,  and  X  be  a  set  of  entities  from  E.  A 
credential  chain  is  a  directed  graph,  which  nodes  are  role  expressions  that  appear  in 
credentials  from  P  and  subsets  of  entities  from  £,  and  directed  edges  reflect  inclusion 
of  sets  of  entities  that  are  the  meaning  of  those  expressions. 

The  construction  of  a  credential  chain  from  X  to  A.r  can  begin  from  node  A.r  and 
proceed  backward  with  respect  to  the  direction  of  arcs,  adding  arcs  and  nodes,  until 
the  final  nodes  of  the  graph.  Alternatively,  the  credential  chain  can  be  constructed 
starting  from  X  and  proceeding  forward  with  respect  to  the  direction  of  arcs. 

Both  algorithms  are  described  below.  Nodes  that  are  added  in  the  construction 
process  can  be  classified  into  two  categories:  active  nodes  and  passive  nodes.  Active 
nodes  are  those  which  initiate  actions  within  the  construction  process.  Passive  nodes 
are  con.sidered  only  within  these  actions.  All  the  active  nodes  represent  roles. 

Algorithm  I.  A  backward  .search  algorithm  to  construct  a  credential  chain  from  Z  to 
U.v  consists  of  the  following  steps. 

1.  Create  a  node,  which  represents  the  role  U.v.  The  created  node  is  an  active  node. 

2.  Select  an  active  node,  denoted  here  A.r,  find  all  the  credentials  A.r  where  e  is 
an  arbitrary  role  expression,  and  for  each  such  credential  do: 

a)  Add  node  e  to  the  set  of  nodes  and  add  {  e,  A.r)  to  the  set  of  edges  of  the  con¬ 
structed  graph. 

b)  If  the  credential  is  of  type  A.r  <—  B.s.t,  then  add  B.s  to  the  set  of  nodes. 

c)  If  the  credential  is  of  type  A.r<—B.sr\C.t  or  A.r<—B..s®C.t  or  A.r^B.s^C.t^ 
then  add  B.s  and  C.t  to  the  set  of  nodes  of  the  constructed  graph. 

3.  Repeat  as  many  times  as  possible: 

a)  If  there  exist  nodes  B.s.t,  B.s  and  C  in  the  constructed  graph  and  a  path  from  C 
to  B.s  exists  in  the  graph,  then  add  C.t  to  the  set  of  nodes  and  add  (  C.t,  B.s.t )  to 
the  set  of  edges  of  the  constructed  graph. 


Credeniial  Chain  Discovery  in  RT^  Trust  Management  Language 


205 


b)  If  there  exist  nodes  B.snC.t,  B.s\  C.t  and  X  in  the  constructed  graph  such  that 
paths  from  X  to  B.s  and  from  X  to  C.t  exist  in  the  graph,  then  add  (  X,  B.sr\C.t ) 
to  the  set  of  edges  of  the  constructed  graph. 

c)  If  there  exist  nodes  B.s  0  C.t,  B.s,  C.t,  X  and  Y  in  the  constructed  graph  such  that 
paths  from  X  to  B.s  and  from  K  to  C.r  exist  in  the  graph,  then  add  XuY  to  the  set 
of  nodes  and  add  (  Xl^K,  B.s  0  C.r )  to  the  set  of  edges  of  the  constructed  graph. 

d)  If  there  exist  nodes  B.s<S^Cj,  B.s,  C.t,  X  and  Y  in  the  constructed  graph  such  that 
XnK  =  0  and  paths  from  X  to  B.s  and  from  K  to  Cr  exists  in  the  graph,  then  add 
XUY  to  the  set  of  nodes  and  add  (  XuY,  B.s  C.t )  to  the  set  of  edges  of  the  con¬ 
structed  graph. 

4.  Each  node  that  is  a  role  added  in  step  2  or  3  becomes  active;  all  other  nodes  added 
in  step  2  or  3  are  passive.  Node  A.r  considered  in  step  2  becomes  passive  as  well. 

5.  If  one  of  the  added  nodes  is  Z,  then  a  credential  chain  has  been  built.  If  the  list  of 
active  nodes  is  empty,  then  a  credential  chain  from  Z  to  U.v  does  not  exist.  Other¬ 
wise,  go  to  step  2. 

Forward  search  algorithm  is  a  bit  more  complex,  because  the  starting  point  of  the 
construction  is  not  as  obvious  as  in  the  previous  case.  To  capture  the  problem  con¬ 
sider  a  set  P  of  three  credentials,  e.g.:  P  =  {  A.r<^  B.s®  C.t,  B.s  <— X,  C.r  <—  K  }.  It  can 
easily  be  seen  that  the  only  set  of  entities  that  can  jointly  play  the  manifold  role  A.r  is 
the  union  of  sets  XuK  But  if  we  denote  the  union  Z=XuK,  and  ask  about  the  exis¬ 
tence  of  a  credential  chain  from  Z  to  A.r.  then  we  find  that  the  set  Z  does  not  appear 
within  the  credentials  of  set  P.  The  starting  point  for  a  forward  search  algorithm  in 
RT^  is  then  not  the  set  Z  itself,  but  rather  the  power  set  of  Z. 

Algorithm  2.  A  forward  search  algorithm  to  construct  a  credential  chain  from  Z  to 
U.v  consists  of  the  following  steps. 

1.  For  each  nonempty  subset  X  q  Z,  find  all  the  credentials  A.r  <r-  X.  For  each  such 
credential,  add  nodes  X  and  A.r  to  the  .set  of  nodes  and  add  (  X,  A.r )  to  the  set  of 
edges  of  the  con.structcd  graph.  Each  node  that  is  a  role  added  in  this  step  becomes 
active;  all  other  nodes  are  passive. 

2.  Select  an  active  node,  denoted  here  B.s,  and  do: 

a)  Find  all  the  credentials  A.r<^e  such  that  e  is  a  role  expression  B.s,  B.s.t, 
B.sniC.t,  B.s®  C.t  or  B.s^C.t  and  C.t  is  a  node  that  exists  in  the  constructed 
graph.  For  each  such  credential,  add  node  e  to  the  set  of  nodes  and  add  (  e,  A.r  ) 
to  the  set  of  edges  of  the  constructed  graph. 

b)  Find  all  the  credentials  A.r  4—  B.  For  each  such  credential,  add  nodes  B  and  A.r 
to  the  set  of  nodes  and  add  (  B,  A.r)  to  the  set  of  edges  of  the  constructed  graph. 

3.  Repeat  as  many  times  as  possible: 

a)  If  there  exist  nodes  B.s.t,  B.s,  C  and  C.t  in  the  constructed  graph  such  that  a  path 
from  C  to  B.s  exists  in  the  graph,  then  add  (  C.t,  B.s.t )  to  the  set  of  edges  of  the 
con.structcd  graph. 

b)  If  there  exist  nodes  B.snC.t,  B.s,  C.t  and  X  in  the  constructed  graph  such  that 
paths  from  X  to  B.s  and  from  X  to  C.r  exist  in  the  graph,  then  add  (  X,  B.s r\  C.t ) 
to  the  set  of  edges  of  the  constructed  graph. 


206 


K.  Sacha 


c)  If  there  exist  nodes  B.Sy  C,t,  X  and  Y  in  the  constructed  graph  such  that 

paths  from  X  to  B.s  and  from  Y  to  C.t  exist  in  the  graph,  then  add  XuY  to  the  set 
of  nodes  and  add  (  XuY,  B.s®  C.t )  to  the  set  of  edges  of  the  constructed  graph. 

d)  If  there  exist  nodes  B.s®  C.t,  B.s,  C.t,  X  and  Y  in  the  constructed  graph  such  that 
XnK  =  0and  paths  from  X  to  B.s  and  from  Y  to  C.t  exist  in  the  graph,  then  add 
XuY  to  the  set  of  nodes  and  add  (  XuY,  B.s  0  Cr )  to  the  set  of  edges  of  the  con¬ 
structed  graph. 

4.  Each  node  that  is  a  role  added  in  step  2  or  3  becomes  active;  all  other  nodes  added 
in  step  2  or  3  are  passive.  Node  B.s  considered  in  step  2  becomes  passive  as  well. 

5.  If  nodes  U.v  and  Z  exist  in  the  constructed  graph,  then  a  credential  chain  has  been 
built.  If  the  list  of  active  nodes  is  empty,  then  a  credential  chain  from  Z  to  U.v  does 
not  exist.  Otherwise,  go  to  step  2. 

3.4  An  Example 

Consider  the  following  question:  Can  a  team  of  Adam  and  Betty  approve  a  big  trans¬ 
action  in  the  bank  from  the  example  in  Section  2.3? 

To  answer  this  question  we  can  construct  a  credential  chain  from  {Adam,  Betty  ]  to 
{Bank].approveBig  (Fig.  1).  The  edges  marked  with  a  solid  line  are  credential  edges. 
Dashed  lines  represent  the  derived  elements,  which  were  added  according  to  proper¬ 
ties  2  through  5  in  Definition  2. 

A  description  of  the  application  of  backward  and  forward  search  algorithms  shown 
below,  is  based  on  an  assumption  that  credential  (16)  is  used  and  the  credentials  (14) 
and  (15)  are  excluded  from  the  set  P  of  available  credentials. 


Fig.  1.  Crcdcniial  chain  from  a  team  of  entities  [Adam,  Betty]  lo  ihe  role  {Bank].approveBig 

Backward  search  algorithm  starts  at  node  {Bank].approveBig.  Credential  (20)  adds 
node  {C].t\voAccotintants  ®  [C]. manager,  according  to  point  2a  in  Algorithm  1,  and 
nodes  {C].t\voAccountants  and  [C]. manager,  according  to  point  2c.  Starting  at 


Credential  Chain  Discovery  in  RT^  Trust  Management  Language 


207 


{C]jnonoger,  credential  (9)  adds  node  [Adam],  and  starting  at  {C].twoAccountants\ 
credential  ( 19)  adds  nodes  [C]. accountant  0  [C]. accountant  and  [C]. accountant. 

The  only  active  node  is  now  [C]. accountant.  Credential  (16)  adds  nodes 
[C]. department. accountant  and  [C].departtnent,  according  to  2b  in  Algorithm  1. 
Credentials  (7)  and  (8)  add  nodes  {01 )  and  {D2\.  The  edges  from  {D1 }  and  [02]  to 
[C]. department  create  the  support  sets  for  derived  edges  from  {D1  [.accountant  and 
[D2]. accountant  to  [C]. department. accountant,  added  according  to  point  3a. 

Next,  credentials  (11)  and  (13)  add  edges  from  [Adam]  to  [0\  [.accountant  and 
from  [Betty]  to  [D2]. accountant.  According  to  point  3d  in  Algorithm  L  a  derived 
node  [Adam,  Betty  ]  is  created  and  added  to  the  graph,  together  with  a  derived  edge  to 

[C] . accountant  ®  [C]. accountant.  Finally,  a  derived  edge  from  [Adam,  Betty]  to 
{ C].tvvoAccountant.s’  0  ( C].numager  is  added,  according  to  point  3c  in  Algorithm  1 . 

The  path  from  [Adatn,  Betty]  to  [Bank].approvcBig  shows  that  this  team  of  enti¬ 
ties  can  approve  a  big  transaction  according  to  the  security  policy  of  the  bank. 

Forward  search  algorithm  starts  at  sets  of  entities  [Adam],  [Betty  ]  and  [Adam, 
Betty].  Credentials  (9),  (11),  (13)  add  nodes  [Adatn],  [Betty],  [C].tnanagcr, 

[D]  [.accountatit  and  [D2]. accountant  to  the  constructed  graph,  and  add  edges  from 
[Adam]  to  [C]. manager,  from  [Adatti]  to  [D\  [.accountatit  and  from  [Betty]  to 
[D2] .accountant.  Moreover,  credentials  (11),  (13)  and  (7),  {8}  add  nodes  {/)!}, 
[02]  and  [C].departmetit,  and  add  edges  from  {/71)  to  [C]. department  and  from 
[02]  to  [C]. department. 

Next,  credential  (16)  adds  nodes  [C].departttient.accountant  and  [C]. accountant, 
and  adds  an  edge  from  [C].departttietit.acconntatit  to  [C].accoutitatit.  The  active 
node  is  now  [C]. accountant.  Credential  (19)  adds  nodes  [C].t\voAccountatit.s  and 
[C].accountatit^  [C]. accountant  and  the  edge  between  the  two.  Moreover,  a  node 
[Adatn,  Betty]  is  created  together  with  an  edge  to  [C]. accountant®  ( C].acconntant. 

Finally,  credential  (20)  creates  two  nodes  [C].nvoAccoutitants  0  [C].tnanager  and 
[Bank].approveBig,  and  two  edges  from  [C].t\voAccoutitants  0  [C].ttiatiager  to 
[  Batik]. approveBig  and  horn  Adatti,  Betty]  to  [C].nvoAccoutitatits  0  [C]. manager. 

A  credential  chain  from  [Adatti,  Betty  ]  to  [ Batik] .approveBig  has  been  built. 


4  Conclusions 

Role-ba.sed  Trust  management  languages  use  credentials  to  define  security  policies 
and  handle  trust  in  decentralized  distributed  access  control  systems.  RT^  is  a  powerful 
language,  which  supports  manifold  roles  and  is  capable  of  expressing  threshold  and 
separation  of  duties  policies.  The  contribution  of  this  paper  is  a  modified  definition  of 
the  relational  RT^  semantics  and  definitions  of  RT^  credential  graph  and  credential 
chain,  which  allow  searching  a  given  set  of  credentials  and  answering  the  security 
queries.  The  soundness  and  completeness  of  the  credential  graph  with  respect  to  the 
semantics  of  RT^  is  proved. 

The  plans  for  further  research  include  construction  of  a  prototype  implementation 
of  a  trust  management  server.  Neither  the  existing  implementations  of  the  trust  man¬ 
agement  systems  [1, 2,3,5]  nor  the  development  de.scribed  in  the  literature  [14]  are 
able  to  u.sc  the  potential  of  RT^  language.  Our  ultimate  goal  is  an  environment,  in 
which  access  control  is  one  of  the  services  offered  in  the  system  (Fig.  2). 


208 


K.  Sacha 


Fig.  2.  Trust  management  (TM)  server  in  a  service-oriented  environment 


References 

1.  Blaze,  M.,  Feigenbaum,  J.,  Lacy,  J.:  Decentralized  Tmst  Management.  In:  17th  IEEE 
Symposium  on  Security  and  Privacy,  pp.  164-173.  IEEE  Computer  Society  Press,  Los 
Alamitos  (1996) 

2.  Blaze,  M.,  Feigenbaum,  J.,  Strauss,  M.:  Compliance  Checking  in  the  PoIicyMaker  Trust 
Management  System.  In:  Hirschfeld,  R.  (ed.)  FC  1998.  LNCS,  vol.  1465,  pp.  254—274. 
Springer,  Heidelberg  (1998) 

3.  Blaze,  M.,  Feigenbaum,  J.,  loannidis,  J.:  The  KeyNote  Trust  Management  System  Version 
2.  Internet  Society,  Network  Working  Group,  RFC  2704  (1999) 

4.  Chapin,  P.,  Skalka,  C,  Wang,  X.:  Authorization  in  Trust  Management:  Features  and  Foun¬ 
dations.  ACM  Comput.  Survey  3,  1-48  (2008) 

5.  Clarke,  D.,  Elien,  J.-E.,  Ellison,  C.,  Fredette,  M.,  Morcos,  A.,  Rivest,  R.L.:  Certificate 
chain  discovery  in  SPKI/SDSI.  J.  Computer  Security  9,  285-322  (2001) 

6.  Czenko,  M.,  Etalle,  S.,  Li,  D.,  Winsborough,  W.:  An  Introduction  to  the  Role  Based  Trust 
Management  Framework  RT.  In:  Aldini,  A.,  Gorrieri,  R.  (eds.)  FOSAD  2007.  LNCS, 
vol.  4677,  pp.  246-281.  Springer,  Heidelberg  (2007) 

7.  Felkner,  A.,  Sacha,  K.:  The  Semantics  of  Role-Based  Trust  Management  Languages.  In: 
4th  IFIP  Central  and  East  European  Conference  on  Software  Engineering  Techniques,  pp. 
195-206(2009) 

8.  Ferraiolo,  D.,  Sandhu,  R.,  Gavrila,  S.,  Kuhn,  D.,  Chandramouli,  R.:  Proposed  NIST  Stan¬ 
dard  for  Role- Based  Access  control.  ACM  Trans.  Inf.  Syst.  Secur.  3,  224-274  (2001 ) 

9.  Gorla,  D.,  Hennessy,  M.,  Sassone,  V.:  Inferring  Dynamic  Credentials  for  Role-Based  Trust 
Management.  In:  8th  ACM  SIGPLAN  Conference  on  Principles  and  Practice  of  Declara¬ 
tive  Programming,  pp.  213-224.  ACM,  New  York  (2006) 

10.  Harel,  D.,  Rumpe,  B.:  Modeling  Languages:  Syntax,  Semantics  and  All  That  Stuff,  Part  I: 
The  Basic  Stuff.  Weizmann  Science  Press  of  Israel,  Jerusalem  (2000) 

11.  Li,  N.,  Mitchell,  J.,  Winsborough,  W.:  Design  of  a  Role-Based  Trust- Management  Frame¬ 
work.  In:  IEEE  Symposium  on  Security  and  Privacy,  pp.  1 14—130.  IEEE  Computer  Soci¬ 
ety  Press,  Los  Alamitos  (2002) 

12.  Li,  N.,  Mitchell,  J.:  RT:  A  Role-Based  Trust-Management  Framework.  In:  3rd  DARPA  In¬ 
formation  Survivability  Conference  and  Exposition,  pp.  201-212.  IEEE  Computer  Society 
Press,  Los  Alamitos  (2003) 

13.  Li,  N.,  Winsborough,  W.,  Mitchell,  J.:  Distributed  Credential  Chain  Discovery  in  Trust 
Management.  J.  Computer  Security  I,  35-86  (2003) 

14.  Reith,  M.,  Niu,  J.,  Winsborough,  W.:  Engineering  Trust  Management  into  Software  Mod¬ 
els.  In:  International  Workshop  on  Modeling  in  Software  Engineering.  IEEE  Computer 
Society,  Los  Alamitos  (2007) 

15.  Sandhu,  R.,  Coyne,  E.,  Feinstein,  H  ,  Youman,  C.:  Role-Based  Access  Control  Models. 
IEEE  Computer  (2),  38-47  (1996) 


Genetic  Optimization  of  Access  Control  Schemes 
in  Virtual  Local  Area  Networks 


Igor  Saenko  and  Igor  Kotenko 


Si  Petersburg  Institute  for  Informatics  and  Automation  (SPIIRAS) 
39,  14  Linija,  St.  Petersburg,  Russia 
{ saenko , ivkote} @comsec . spb . ru 


Abstract.  The  paper  presents  the  formulation  of  the  problem  of  access  control 
to  information  resources  located  in  virtual  local  area  networks.  We  define  the 
initial  data,  the  objective  function  and  constraints  of  the  problem.  To  solve  the 
propo.sed  problem  we  suggest  the  method  of  genetic  optimization  of  access  con¬ 
trol  scheme  based  on  the  poly-chromosomal  representation  of  intermediate 
points.  The  results  of  computer  simulation  and  evaluation  of  the  proposed 
method  are  discussed. 

Keywords:  access  control,  virtual  local  area  networks,  genetic  optimization. 


1  Introduction 

Joint  work  of  asers  in  computer  networks  stipulates  the  need  to  restrict  the  access  to 
information  resources  without  the  use  of  passwords.  An  example  is  the  problem 
of  protecting  information  from  unauthorized  access  in  computer  classrooms  of 
universities. 

This  problem  ha.s  the  following  specificity.  First,  the  student  contingent  has  a 
strong  heterogeneity,  and  all  students  can  be  considered  as  potential  .security  infring¬ 
ers.  In  this  case,  the  effectiveness  of  passwords  and  user  accounts  is  low.  Secondly,  in 
classrooms  the  access  control  schemes  require  frequent  retuning.  This  is  due  to  the 
fact  that  in  classrooms  the  lessons,  having  different  composition  of  used  information 
resources,  are  usually  alternated. 

The  basic  principles  of  information  security  in  such  integrated  information 
systems  arc  outlined,  for  instance,  in  the  papers  [1,2].  These  papers  show  that  the 
discretionary  model  based  on  an  access  control  matrix  is  most  widely  implemented  in 
classrooms  of  universities.  The  first  access  control  matrix  as  access  control  scheme 
was  introduced  in  |3].  This  model  was  considered  in  more  details  in  many  modern 
works,  for  example  [4,  5].  Each  cell  of  the  matrix  defines  the  subject  authority  to 
access  a  specific  object  or  another  access  subject. 

In  practice,  as  a  rule,  the  access  control  matrix  is  replaced  by  access  control  lists 
(ACL)  [6]  or  "lists  of  capabilities"  (C-lists)  17|.  Switches,  used  for  local  area  net¬ 
works,  al.so  use  ACL  [8].  Such  capability  allows  to  implement  virtual  local  area  net¬ 
works  (VLANs)  based  on  thc.se  solutions  [9].  ACL  lists  ensure  that  certain  traffic  is 
sent  to  specific  ports.  This  prevents  the  unauthorized  access  to  confidential  corporate 


t.  Kotenko  and  V.  Skorinin  (Eds  ):  MMM-ACNS  2010,  LNCS  6258.  pp.  209-216.  2010. 
©  Springer-Verlag  Berlin  Heidelberg  2010 


210 


1.  Saenko  and  1.  Kotenko 


information  and  network  congestion  as  a  result  of  program  attacks.  As  a  result,  on  the 
one  hand,  VLANs  provide  an  additional  level  of  access  control  to  network  re.sources, 
and,  on  the  other  hand,  the  adjustment  of  VLANs  is  also  determined  by  the  access 
control  matrix. 

The  generation  of  an  access  control  matrix  is  a  complex  problem  [10],  Under  sys¬ 
tem  operation  the  adjustment  of  access  control  schemes  is  repeated  each  time,  when 
the  equipment,  software  and  users  are  changed.  Nevertheless,  usually  the  generation 
of  access  control  scheme  is  still  done  manually,  without  the  u.se  of  mathematical 
methods  [11].  Creation  of  access  control  scheme  can  be  automated,  if  we  reduce  it  to 
an  optimization  problem  and  apply  an  effective  way  to  solve  it.  One  of  these  ways  is 
to  u.se  genetic  algorithms.  Genetic  algorithms  allow  to  solve  successfully  the  prob¬ 
lems  of  structural  and  parametric  optimization  of  various  sy.stcms  [12,  13]. 

The  purpose  of  this  paper  is  to  test  the  idea  of  applying  genetic  algorithms  to  gen¬ 
erate  a  correct  access  control  matrix  for  a  computer  network  on  the  base  of  construct¬ 
ing  VLAN.  We  sugge.st  the  method  of  genetic  optimization  of  access  control  scheme 
based  on  the  poly-chromosomal  representation  of  intermediate  points. 

The  paper  is  structured  as  follows.  Section  2  considers  mechanisms  for  access  con¬ 
trol  to  information  in  VLAN.  Section  3  outlines  the  proposed  problem  definition  and 
analysis.  In  section  4,  we  suggest  the  method  of  genetic  optimization  of  access  control 
scheme.  Section  5  discusses  the  results  of  computer  simulation  and  evaluation  of  the 
proposed  method.  Conclusion  surveys  the  main  paper  results. 

2  Mechanisms  for  Access  Control  to  Information  in  VLAN 

The  efficient  mechanisms  for  access  control  and  protection  of  information  against 
unauthorized  access  in  VLAN  are  (1)  the  rational  distribution  of  information  re¬ 
sources  and  users  on  network  nodes  and  (2)  the  organization  of  virtual  subnets  using 
network  switches  or  routers.  Let  us  consider  these  mechanisms, 

2.1  Distribution  of  Information  Resources  and  Users  on  Network  Nodes 

Information  resources  (files  or  directories)  distributed  on  network  nodes  are  called 
access  objects.  Network  computers  are  network  nodes.  Users,  working  at  computers 
at  any  given  time,  are  called  access  subjects. 

Several  access  objects  can  be  situated  on  one  network  node  at  one  time.  In  other 
words,  there  is  a  mapping  of  degree  1  :  M  among  the  set  of  access  objects  and  the 
set  of  nodes.  The  .same  acce.ss  subject  can  work  only  on  one  node.  Consequently,  the 
mapping  D  among  the  .set  of  subjects  and  the  set  of  nodes  has  also  the  degree  I  :  M, 

Access  subjects  have  full  acce.ss  to  those  objects  which  are  located  on  their  own 
network  node.  At  the  same  time,  sometimes,  the  subject  has  to  access  one  or  more 
objects  on  other  nodes  (for  example,  on  a  network  server).  This  capability  is  achieved 
by  assigning  to  access  object  a  special  shared  access  flag.  It  should  be  noted  that 
there  is  the  opportunity  of  a  password  based  shared  access.  However,  this  type  of 
shared  access  is  not  taken  into  account  in  the  statement  of  the  problem  due  the  speci¬ 
ficity  considered  in  the  Introduction.  The  password  based  shared  access  control  is 
assigned  to  VLAN. 


Genetic  Optimization  of  Aeeess  Control  Sehenies  in  Virtual  Local  Area  Networks 


211 


It  is  supposed  that  the  access  of  a  specific  subject  to  a  particular  object  is  deter¬ 
mined  by  the  following  rules:  (1)  aeeess  is  possible,  if  the  object  does  not  have  a 
shared  aeeess  flag,  but  is  located  on  the  node  at  which  the  subject  operates;  (2)  access 
is  possible,  if  the  object  has  that  flag  (in  this  case  it  is  not  important  on  which  node 
the  object  is  located);  (3)  access  is  denied  in  all  other  cases. 

2,2  Organization  of  Virtual  Subnets 

Virtual  subnets  are  realized  by  using  managed  network  switches.  These  network  de¬ 
vices  have  a  memory  that  stores  information  on  banning  (permitting)  the  exchange  of 
information  between  certain  pairs  of  computers  connected  to  switches.  As  a  result,  it 
is  possible  instead  of  a  fully  connected  exchange  scheme  between  the  ports  to  organ¬ 
ize  a  selective  scheme  with  .segregation  of  virtual  local  subnets. 

The  following  aeeess  rule  is  used  in  VLAN  for  all  computers:  if  two  computers  arc 
not  in  the  same  subnet,  then  the  information  exchange  between  them  is  impossible. 

VLAN  implementation  requires  a  change  of  the  second  rule  outlined  above.  Now 
this  rule  is  as  follows:  access  is  possible,  if  the  object  has  a  shared  aeeess  flag  and  the 
computer,  on  which  the  object  is  located,  and  the  computer,  on  which  the  subject 
works,  are  in  the  same  virtual  subnet. 

The  simultaneous  use  of  two  considered  access  control  mechanisms  makes  up 
a  "real"  access  control  scheme.  At  the  same  time  the  usage  the  speeifie  .software 
determine  a  "required"  access  control  scheme.  In  the  general  case  a  "real"  and  a  "re¬ 
quired"  access  control  schemes  may  be  different. 

Thus,  an  informal  statement  of  the  problem  of  access  control  with  usage  of  VLAN 
ean  be  formulated  as  follows:  using  mentioned  aeeess  control  mechanisms  it  is 
needed  to  ensure  that  the  “real"  aeeess  control  scheme  has  minimal  differences  with 
the  “required"  scheme,  and  coincides  with  it  in  ideal  case. 


3  Formal  Statement  of  the  Problem 

Let  us  specify  the  formal  statement  of  the  problem  of  on-line  optimization  of  access 
control  schemes  in  VLANs. 

The  initial  data  for  the  formal  statement  of  the  problem  are  as  follows: 

()|)  =  (or/,),  /=!.../  -  set  of  access  objects  (files,  directories); 

SO  =  [sdj\,  j  =  l...y  -  set  of  access  subjects  (for  example,  learners  and  teachers 
working  in  a  computer  network); 

U  =  { ,  A*  =  1 ...  A'  -  set  of  network  nodes; 

=  11/^^, ^11  -  requirements  for  different  levels  of  aeeess  (required  access  control 
scheme),  where  r^^jj=\,  if  .vr/,  should  have  access  od„  and  =0  otherwise. 

Since  the  problem  variables  should  fully  determine  the  decisions  on  the  distribu¬ 
tion  of  objects  and  subjects  and  the  structure  of  VLAN,  we  assume  that  these  deci¬ 
sions  are  as  follows: 

-  matrix  of  distribution  of  objects  on  network  nodes,  where  =1, 
if  odi  is  located  on  the  node  and  =0  otherwise; 

=  lk/''^yAll  -  matrix  of  distribution  of  subjects  on  network  nodes,  where  =1, 
i\  sdj  is  located  on  the  node  and  =0  otherwise; 


212 


1.  Saenko  and  I.  Kotenko 


V  =  { V/}  -  vector  of  shared  access  flags  of  network  resources,  where  V/  =1,  if  odj  is 
given  in  the  share,  and  v,  =0  otherwise; 

X  =  llr^„II,  m,n  =  \  .,.K  -  matrix  of  VLAN  structure,  where  =1,  if  nodes  u„,  and 
u„  belong  to  one  virtual  subnet,  and  =0  otherwise. 

As  an  objective  function  should  be  used  the  function,  evaluating  the  difference  be¬ 
tween  the  real  control  access  scheme  stipulated  by  values  V  and  X, 

and  the  required  access  scheme 

Let  us  show  how  to  obtain  the  functional  form  of  scheme 
Assume  that  the  access  control  scheme  is  determined  only  by  the  decisions 
and  (in  other  words,  all  the  elements  of  V  and  X  are  equal  to  I).  We  call  this 
scheme  unconditional  and  denote  R^^.  In  this  case  we  have 

ruc^D^^.(D^Y,  (0 

where  the  elements  of  the  matrix  R”*^  are  determined  by  the  expression 

=  ,2) 

k=\ 


Note  that  in  (2),  as  in  all  subsequent  expressions,  summation  and  product  are  the 
logical  operators  OR  and  AND  respectively. 

Suppose  that  the  decision  V  takes  effect  (that  is,  there  are  V/=0).  We  call  this  access 
control  scheme  as  “conditional  on  V”  and  denote  R^. 

If  =  1,  then  the  resource  od,  is  available  for  all  subjects.  In  this  case,  for  any  7, 
=  1.  If  =  0,  then  the  availability  of  the  resource  odi  is  defined  by  a  matrix  R“^. 
Consequently,  the  element  of  the  matrix  R^  is  defined  by  the  following  expression 


V  UC  ,  /I  UC 

r  ij  =  r  ij  ^  v,(  \  -r  y). 


(3) 


Now  suppose  that  in  addition  to  V,  the  decision  X  enters  into  force.  In  this  case,  the 
access  control  .scheme  is  a  “real"  control  access  scheme 

The  actual  availability  of  the  resource  od,  to  subject  sdj  occurs  when  there  is  a 
virtual  subnet  joining  this  resource  and  this  subject  together.  In  other  words,  the 
following  expression  is  true: 


(4) 

Jt=l 

It  is  easy  to  see  that  expressions  (2)-(4)  completely  determine  R^^®^  as  a  function  of 
variables  V  and  X. 

Objective  function  of  optimization  problem  statement  is  defined  as  a  measure  of 
divergence  between  and 

.=1  j=\ 


(5) 


Geneiic  Optimi/aiion  of  Access  Conlrol  Schemes  in  Virtual  Local  Area  Networks 


213 


The  discrepancy  between  and  should  be  minimal.  Therefore,  the  synthesis 
criterion  formulated  in  the  problem  statement  has  the  form 

min  .  (6) 

The  constraints  of  the  problem  statement  are  as  follows: 

1)  on  a  single  node  there  can  not  be  more  than  one  subject,  and  therefore  the 
following  condition  is  true: 


<  1  ; 


2)  one  file  can  be  only  on  one  node,  so  the  following  expression  is  valid 


(7) 


(8) 


4  Method  of  Solving  the  Problem 

The  problem  defined  by  expressions  (2)  -  (8)  belongs  to  a  class  of  non-linear  Boolean 
programming  problems,  when  the  variables  are  given  in  the  vector  and  matrix  form. 
The  exact  solution  of  this  problem  is  possible  only  by  an  exhaustive  search  of  vari¬ 
ables  that  can  not  be  acceptable  for  practical  purposes. 

We  offer  for  its  solution  a  method  which  implements  genetic  optimization  algo¬ 
rithms  (GOA),  successfully  used  in  many  synthesis  problems  [  12,  13]. 

However,  we  note  that,  as  shown  by  expression  (3)  and  (4),  the  set  of  variables  in 
the  objective  function  (6)  can  be  reduced  by  replacing  the  two  matrices  and 
on  a  single  matrix  R^\ 

The  method  based  on  GOA  is  as  follows.  On  initialization  stage,  an  initial  set  of 
solutions  (or  population)  is  randomly  formed.  Each  solution  (or  indivulual)  is  charac¬ 
terized  by  a  string  isomorphically  related  to  the  vectors  and  matrices  of  variables  that 
determine  this  solution.  This  string  is  called  a  chromosome  and  a  single  character  in 
it  -  a  ^ene. 

At  each  subsequent  stage  the  following  steps  are  fulfilled. 

Pairs  from  the  population  of  individuals  are  randomly  selected.  They  arc  called 
parents.  Between  them  the  process  of  crossing-over  occurs.  As  a  result  of  this  proc¬ 
ess,  a  couple  of  new  individuals  appear.  These  individuals  arc  called  descendants.  The 
chromosome  of  each  of  the  descendants  is  formed  from  two  parts:  one  part  is  taken 
from  the  chromosomes  of  the  "father”,  and  the  second  -  from  the  "mother"*s  chromo¬ 
somes.  The  descendants  are  added  to  the  general  population. 


214 


r  Saenko  and  1.  Kotenko 


The  population  has  quantitative  restrictions,  so  individuals  with  the  lowest  suitabil¬ 
ity  function  are  removed  from  the  population  ("die").  The  role  of  suitability  function 
is  played  by  the  function  (5). 

In  addition,  at  each  stage  a  part  of  the  individuals  is  subjected  to  mutation.  During 
mutation  the  genes  in  the  chromosome  are  changed  randomly. 

An  essential  feature  of  proposed  GOA  is  his  poly-chromosomal  character,  i.e.  indi¬ 
viduals  have  not  one,  but  three  chromosomes  V  h  X. 

Let  us  offer  the  forms  of  these  chromosomes. 

Since  R"*’  is  a  matrix  of  dimension  7x7,  it  is  not  symmetric.  Therefore,  the  only 
way  to  build  a  chromosome  mapping  this  matrix  is  a  serial  concatenation  of  rows  of 
R“^  into  one  big  string: 


[R]chr  -  [''ih  ^ ]/■>  ^2\->  •••»  (9) 

Vector  V  by  its  very  nature  is  a  chromosome,  in  which  an  element  v,  carries  the  role 
of  individual  gene: 


[Vlchr=  [vi,  V2,  ...,  V, . V/1.  (10) 

Matrix  X  is  a  symmetric  matrix.  Each  element  of  its  main  diagonal  is  1 .  Therefore,  to 
construct  the  chromosome  which  maps  X,  the  following  string  is  used: 

[  X  lehr  =  [-^12^  •  •  • .  -V I  A'23 . A'2A';  •  •  •  ^  h  •  •  • .  i  •  •  • '.  i .  a  )  •  (11) 

As  a  result  of  poly-chromosomal  crossing-over,  not  two,  as  in  the  traditional  case,  but 
eight  descendants  (2'^  =  8)  will  appear. 

The  GOA  is  completed,  when  the  population  goes  to  a  stable  state,  in  which  the  in¬ 
dividual  with  the  maximum  value  of  efficiency  is  taken  as  the  final  solution  of  the 
problem. 


5  Evaluation  of  the  Method 

The  evaluation  was  conducted  in  two  phases.  On  the  first  phase,  we  e.sti mated  compu¬ 
tational  complexity  and  performance.  On  the  second  phase,  we  estimated  the  LAN 
security  based  on  the  method  developed. 

Analysis  shows  that  GOA  has  a  polynomial  computational  complexity 
O  (Npop-Aind'/T),  where  -  number  of  populations  needed  to  obtain  a  solution, 

-  number  of  individuals  in  the  population,  K  -  number  of  network  nodes.  In  the  ex¬ 
periments,  the  value  of  Npo  was  in  the  interval  [25;  1()0],  K  had  values  {5;  10;  15}  and 

N.nd  =  200. 

Evaluation  of  GOA  performance  demonstrated  that  a  full  coincidence  of  the  result¬ 
ing  access  scheme  with  the  required  one  is  observed  only  at  small  values  of  /,  in  par¬ 
ticular,  when  7  =  6.  Moreover,  the  coincidence  is  reached  at  population  number  in  the 
range  from  25  to  30. 

Data  on  .security  evaluation  are  given  in  Table  1 . 


Genetic  Optimization  of  Access  Control  Schemes  in  Virtual  Local  Area  Networks 


215 


Table  1.  Security  evaluation 


/ 

Pdw 

N, 

V2 

Pi 

P. 

^uuu 

6 

hP 

10" 

6 

0 

0,00070 

10" 

7,00 

6 

10'’ 

10^ 

6 

0 

0,00061 

10'^ 

60,98 

6 

10^ 

10' 

6 

0 

0,00016 

10" 

1,60 

12 

lO"* 

10" 

12 

5 

0.00130 

0,(XKX>0 

2,17 

12 

10' 

10" 

12 

5 

0.00121 

0,(X)051 

2,37 

12 

kP 

10' 

12 

5 

0,00022 

0,00015 

1,47 

20 

K)-' 

10^ 

20 

18 

0,00210 

0,00190 

1,11 

20 

10^ 

10" 

20 

18 

(),(K)201 

0,00180 

1,1 1 

20 

10^ 

10" 

20 

18 

0,0(X)30 

0,00028 

1,07 

The  table  1  uses  the  following  parameters:  f’o  -  the  probability  of  unauthori/ed  ac¬ 
cess  the  information  caused  by  other  reasons  other  than  the  compromise  of  shared 
passwords;  ppy^  -  the  probability  of  password  compromising;  A^l  and  N2  -  the  number 
of  objects  which  require  access  password  protection  in  the  traditional  case  and  in  the 
case  of  using  the  proposed  method,  respectively;  n  P2  -  the  probability  of  unau¬ 
thorized  access  in  the  traditional  case  and  in  the  case  of  using  the  proposed  method, 
respectively;  =  P^f  P2-  degree  of  security  increase. 

Table  1  shows  that  for  various  configurations  of  the  simulated  system  the  gain  in 
security  increase  varies  from  7  to  6(X)  percentages.  The  greatest  gain  in  60  times  takes 
place  only  when  /7pw  is  greater  than  Po  in  10  times,  and  the  simulated  system  has  a  low 
dimension,  when  the  resulting  access  scheme,  organized  by  means  of  VLANs,  is  the 
same  as  required  one.  In  all  other  cases,  when  the  probability  of  compromising  the 
password  is  much  more  than  the  probability  of  unauthori/ed  access  by  other  reasons, 
the  gain  is  also  significant. 

6  Conclusion 

The  paper  shows  that  combining  the  technologies  of  VLAN  and  GOA  can  be  an  ef¬ 
fective  means  of  protecting  information  against  unauthorized  access  to  the  informa¬ 
tion  stored  in  local  networks.  On  the  one  hand,  the  proposed  method  of  protecting 
information  from  unauthorized  access  takes  into  account  the  requirements  of  security 
policy.  On  the  other  hand,  it  provides  multi-level  use  of  organizational  and  technical 
measures  of  protection.  The  method  has  high  efficiency  and  improves  the  security  on 
7-1 1  percentages  for  large-scaled  systems  or  in  7-60  times  for  small  systems.  In  this 
case  the  network  performance  was  not  reduced  significantly,  and  the  cost  of  routine 
work  of  security  administrators  was  greatly  decreased. 

Software  implementation  of  proposed  method  may  be  included  in  the  arsenal  of 
information  security  means  available  to  network  security  administrators.  It  may  be 
actively  u.sed  to  create  dynamically  configurable  schemes  of  custom  access  to 
network  resources. 


216 


1.  Saenko  and  I.  Kotenko 


Acknowledgments 

This  research  is  partly  funded  by  the  EU  under  SecFutur  project,  the  grant  of  the 
Russian  Foundation  of  Basic  Research  (Project  No.  ]0-0I-(X)826)  and  Program  of 
fundamental  research  of  the  Department  for  Nanotechnologies  and  Informational 
Technologies  of  the  Russian  Academy  of  Sciences  (Contract  No. 3. 2). 


References 

1.  Bubnov,  R.V.,  Chemikov,  A.S.:  Basic  principles  of  security  in  an  integrated  information 
system  to  support  the  management  of  the  University.  Vcstnik  MSTU  Bauman,  No.2  (2004) 
(in  Russian) 

2.  Simonenko,  S.N.:  Review  of  discretionary  access  control  mechanisms  in  relation  to  infor¬ 
mation  systems,  http://www.philippovich.ru/Library/Books/ITS/ 
wwwbook/ 1 ST7 /Simonenko/ Simonenko .  htm#_ftnl  (in  Russian) 

3.  Lampson,  B.W.-  Protection.  In:  Proceedings  of  the  5th  Princeton  Conference  on  Informa¬ 
tion  Sciences  and  Systems  (1971) 

4.  Bishop,  M.:  Computer  Security:  art  and  science.  Pearson  Education,  Inc.,  Boston  (2002) 

5.  Kizza,  J.M.:  Computer  Network  Security.  Springer  Science-i-Business  Media,  Inc.,  New 
York  (2005) 

6.  Galatenko,  V.A.:  Identification  and  authentication,  access  control, 

http:  / /WWW.  cit forum,  ru /security /art ides /galatenko  (in  Russian) 

7.  Gyikovich,  V.  Y.:  Fundamentals  of  Information  Technology  Security, 

http:  //bezpeka.  ladimir .  kiev.ua/pq/show/zi  .htm(in  Russian) 

8.  Hildebrandt,  W.:  Security  at  all  levels.  LAN  1 1  (2004)  (in  Russian) 

9.  Research  Report:  Secure  Use  of  VLANs:  An  @stake  Security  Assessment  (2002) 

10.  The  main  protective  mechanisms  used  in  systems  to  protect  information, 
http :  / /asher .  ru/security/book/its/07  (in  Russian) 

1 1 .  How  To  Design  an  Access  Control  Matrix  for  Your  Organization, 

http : / /WWW. howtodothings . com/business/how-to-design- 
an-access-control-matrix- for -your -organization 

12.  Wang,  G.,  Dexter,  T.W.,  Punch,  V.F.,  Goodman,  E.D.:  Optimization  of  GA  and  Within  a 
GA  for  a  2-Dimcnsional  Layout  Problem.  In:  First  International  Conference  on  Evolution¬ 
ary  Computation  and  Its  Application  (1996) 

13.  Shaffer,  J.D.,  Eshelman,  L.J.:  Combinatorial  Optimization  by  Genetic  Algorithms:  The 
Value  of  the  Genotype/Phenotype  Distinction.  In:  First  International  Conference  on  Evolu¬ 
tionary  Computation  and  Its  Application  (1996) 


Intellectual  Intrusion  Detection  with  Sequences 
Alignment  Methods 


Yaroslav  A.  Markov  and  Maxim  O.  Kalinin 


Inforniation  Security  Center  of  St.  Petersburg  Polytechnieal  University, 
Polytehnicheskaya  str.  29,  St.  Petersburg,  Russia 
{markov, max} @ssl . stu . neva . ru 


Abstract.  The  paper  addresses  to  application  of  sequences  alignment  intellec¬ 
tual  algorithms  for  the  intrusion  detection  needs.  These  algorithms  arc  used  in 
bioinformatics  to  detect  regions  of  similarity  in  .several  gene  sequences.  We 
propose  two  techniques  of  their  utilization.  Using  the  first  technique  it  is  possi¬ 
ble  to  detect  the  mutations  of  attack,  having  a  signature  of  it.  The  second  tech¬ 
nique  is  applicable  to  anomaly  detection.  We  discuss  what  algorithms  of 
sequences  alignment  can  be  used  in  these  methods  and  show  the  effectiveness 
of  these  techniques  on  practice. 

Keywords:  security,  intrusion  detection,  sequences  alignment,  mutations  of 
attack,  anomaly  detection. 


1  Introduction 

Development  of  information  technologies  causes  the  enriching  of  the  intruder’s  po¬ 
tential.  S(he)  can  now  adapt  to  new  detection  algorithms  and  invent  new  types  of 
attacks.  It  resembles  the  game.  In  a  re.spon.se  to  new  methods  of  detection  the  intruder 
invents  new  methods  of  attacks.  When  the  method  of  detection  of  this  new  attack  is 
invented  the  intruder  invents  other  new  attack  and  ete.  The  main  thing  of  it  is  that  the 
number  of  attacks  grows  exponentially.  These  facts  obligate  us  to  improve  the  meth¬ 
ods  and  algorithms  used  in  IDS.  The  IDS,  the  intrusion  detection  system,  is  a  soft- 
ware-ba.sed  or  hardware-ba.sed  tool  developed  to  detect  malicious  activities  or  policy 
violations  such  as  unauthorized  access,  integrity  violation  or  denial  of  service. 

IDS  usually  solves  the  problem  of  matching  two  sequences  to  determine  their  like¬ 
ness.  For  example,  it  ean  be  a  sequence  of  system  calls  or  sequence  of  network  pack¬ 
ets  that  is  compared  to  attack  signature.  In  bioinformaties,  this  problem  is  solved  by 
sequences  alignment  algorithms.  Thus,  resemblance  of  two  problems  makes  research 
of  application  of  these  algorithms  urgent  for  information  security  tasks. 

The  IDSs  are  divided  in  two  classes:  signature-based  and  anomaly-ba.sed.  One  of 
the  problems  of  signature-based  IDS  is  the  problem  of  attack  mutation.  If  attack  is 
slightly  changed,  it  ean  avoid  IDS,  and  consequently  a  new  signature  for  it  should  be 
developed.  We  show  how  the  sequences  alignment  algorithms  ean  be  used  to  solve 
this  problem.  One  of  the  approaches  for  anomaly-based  systems  is  to  create  the  base 
of  normal  behavior  of  protected  component  and  then  compare  the  monitored  behavior 

I.  Kotenko  and  V.  Skormin  (Eds.):  MMM-ACNS  2010,  LNCS  6258,  pp.  217-228,  2010. 

©  Springer- Verlag  Berlin  Heidelberg  2010 


218 


Y.A.  Markov  and  M.O.  Kalinin 


with  it.  The  base  of  normal  behavior  can  be  built  of  sequence  of  system  calls  or  net¬ 
work  packets.  The  sequences  alignment  algorithms  can  improve  this  method  by 
reduction  of  the  size  of  normal  behavior  base. 

The  following  paper  is  divided  in  7  sections.  Section  2  determines  the  formal 
model  of  attack  detection.  In  section  3  the  sequences  alignment  algorithms  are 
reviewed.  Section  4  describes  the  application  of  these  algorithms.  Section  5  and  6 
contain  results  and  review  of  the  related  works.  Finally,  there  is  the  conclusion  in 
section  7. 

2  Formal  Model  of  Attack  Detection 

We  define  the  protected  system  System  as  a  .set  of  entities  E  that  interact  with  each 
other.  Whether  the  interaction  is  permitted  or  denied  depends  on  the  security  attrib¬ 
utes  SA: 


(1) 


System  =  <E,  SA>  . 


Informational  interaction  is  an  interaction  process  of  two  or  more  entities  with  the 
purpo.se  of  changing  the  information  within  at  least  one  of  them.  In  any  informational 
interaction,  there  are  entities  that  initiate  it.  For  example,  a  man  initiates  reading  of  a 
book.  We  denote  entities  that  cannot  be  initiators  of  any  interaction  as  objects  O.  All 
other  entities  we  denote  as  subjects  5.  Thus,  a  set  of  entities  is  unification  of  S  and  O: 
E  =  SYO.  Informational  interaction  between  the  entities  in  the  given  system  is  im¬ 
plemented  by  executing  commands  which  make  the  .set  C.  The  command  can  be  writ¬ 
ten  in  p.seudo-language  a.s: 

{Condition i)  — >  (Inter i,  Inter2.  ....  Inter J;  (Condition2)  — >  (Inter^) .  (2) 

Where  Inter j,  Inter2,  ...,  Inter, Inter„,  are  the  elements  of  possible  interactions  in  the 
.system  set  Inter.  Condition!,  Condition!  are  the  conditions  like  “if  User!  has  a  right 
to  read  file  Docnments'\ 

Let  AC  denotes  an  access  control  function: 


AC :(S.O. Inter) ^{0,l}  ■ 


(3) 


It  checks  whether  the  subject  S  can  have  an  interaction  Inter  with  the  object  O.  For 
example,  in  systems  that  use  Harrison-Russo-Ullman  security  model,  the  access  con¬ 
trol  function  equals  to  1  iff  there  is  Inter  in  the  access  matrix  cell  respective  to  S  and 
Ol\]. 

The  condition  in  command  is  a  unity  or  conjunction  of  access  control  functions: 


Condition  = 


(4) 


Intellectual  Intrusion  Detection  with  Sequences  Alignment  Methods 


219 


State  denotes  a  system  state  function  which  returns  the  tuple  <E„  SAi>,  where  E,  and 
5/4,  are  the  sets  of  the  system  entities  and  security  attributes  fixed  at  time  /: 

State:T  ^<E.SA>  .  (5) 

Where  7  is  a  set  of  time  moments  with  given  discrete  frequency. 

IsSecure  is  a  system  security  function: 

lsSecure:<  E. 5^  >->  {O.  l}  .  (6) 

IsSecure  is  equal  to  unity  iff  the  system  is  secure. 

The  system  stale  changes  under  influence  of  the  commands.  Thus,  knowledge 

about  that  at  the  time  period  [//,  t„]  commands  C/,  . C„.i  were  executed  in  the 

given  sequence  leads  us  to  fact  that  the  initial  slate  at  the  time  moment  //  can  define 
all  states  of  the  system  for  this  time  interval: 


(•/  e, 

State(t I }  — > Stcite(t -> ) — ^ Stote(t ^ >  State( t ^  }• 


(7) 


The  insecure  sequence  of  commands  is  defined  as  a  sequence  of  commands  C/,  Ci, 
...,  C„  /  executed  at  time  interval  [//,  t„]  having  the  following  conditions  true: 


C  C,  C„,t 

State( 7  >  State( / 2  J State( j  — > >  Stote( / „  j » 


n  -I 

(  J  IsSecure(State(t^  jj  =  7  j  a  JsSecure{State(t^^  ))—0)  • 

i-\ 


(H) 


Any  influence  that  can  be  represented  as  a  sequence  of  commands  that  bring  system 
to  a  state  in  which  IsSecure  function  is  zero  we  will  name  as  an  'attack  on  the  system'. 
At  the  .same  time,  removal  of  first  command  in  attack  sequence  brings  the  IsSecure 
function  to  unity.  Thus,  the  following  statement  is  true: 

The  attack  is  always  a  f  tie  f  fiber  of  insecure  sequence  of  con  it  minds  set. 

As  defined  above,  any  attack  fits  the  definition  of  insecure  sequence  of  commands. 
The  opposite  statement  is  false. 

Thus,  the  lifecycle  of  any  system  can  be  presented  as  a  chain  of  commands  that 
lead  to  system  .state  change.  And  the  attack  detection  problem  is  equal  to  matching 
thc.se  chains  to  known  attack  signatures. 


3  Sequences  Alignment  Algorithms 

III  bioinformatics,  a  sequences  alignment  is  a  way  of  arranging  the  sequences  of 
DNA,  RNA,  or  protein  to  identify  regions  of  similarity  that  may  be  a  consequence  of 
functional,  structural,  or  evolutionary  relationships  between  the  sequences  12). 

There  are  several  .sequences  alignment  algorithms  and  their  results  are  different. 
The  commonly  known  gene  sequences  alignment  algorithms  are  local  and  global 


220 


Y.A.  Markov  and  M.O.  Kalinin 


alignments.  Lets  explain  their  work  on  the  following  sample:  there  are  two  sequences 
of  the  commands  «opeti,  read,  open,  read,  write,  execute,  connect,  execute,  execute, 
write,  close,  write,  closer  and  «open,  read,  write,  execute,  execute,  execute,  write, 
write,  closer. 

Local  algorithm: 

open  read  open  read  write  execute  connect  execute  execute  -  write  close  write 


close 


-  -  open  read  write  execute  -  execute  execute  write  write  close  -  - 
Global  algorithm: 

open  read  open  read  write  execute  connect  execute  execute  write  close  write  close 
open  -  -  read  write  execute  -  execute  execute  write  -  write  dose 
where  the  symbol  denotes  a  gap,  i.e.  absence  of  the  command. 

Global  alignment  which  is  known  as  the  Needlman-Wunsch  algorithm  [3]  stretches 
the  smaller  sequence  along  the  bigger  one.  Local  alignment  which  is  also  known  as 
the  Smith*Waterman  algorithm  [4]  localizes  the  smaller  sequence  on  the  specified 
region  of  the  bigger  one.  Both  algorithms  can  be  used  on  sequences  of  any  length,  but 
the  Needleman-Wunsch  algorithm  is  traditionally  used  much  more  often  when  se¬ 
quences  have  approximately  equal  lengths.  The  Smith -Waterman  algorithm  is  used 
when  one  sequence  is  considerably  larger  than  another. 

3.1  Smith-Waterman  Algorithm 

The  algorithm’s  input  is  represented  with  two  sequences  a  =  «C«/,C^2---C«n»  and  h  = 
«Chi,Cf,2... and  the  similarity  function  co;fQ  u- Q  u-J— >  2  ,  where  Q,  and  Q 
are  the  sets  of  the  commands  that  form  the  sequences  a  and  h  respectively.  The 
symbol  denotes  absence  of  command.  Target  of  that  function  is  to  define  a  similarity 
degree  between  two  commands  if  they  stand  on  the  same  positions  in  different  se¬ 
quences.  For  example,  there  is  an  attack  with  a  purpiose  of  changing  some  files.  In  that 
case,  important  commands  are:  gaining  access  rights  to  open  and  write  file;  opening 
the  file,  and  writing  into  the  file.  For  any  important  commands  co  has  to  be  positive  in 
case  of  same  arguments;  and  negative  in  case  of  different  arguments.  For  any  non- 
important  commands,  function  co  is  zero.  Also,  the  important  commands  can  be 
differentiated  by  danger  degree  for  the  protected  system.  For  example,  if  there  is  a 
command  that  deletes  all  entities  in  the  system,  the  co  function  calculated  for  this 
command  can  be  set  to  10.  And  for  command  that  changes  any  entity  in  the  system, 
the  CO  function  can  be  set  to  2. 

Similarity  degree  between  two  sequences  is  represented  by  R  function: 


(9) 


The  first  stage  of  this  algorithm  is  the  filling  of  the  similarity  matrix  H.  The  matrix 
size  is  ni+J  on  w+7,  where  m  and  n  are  lengths  of  the  corresponding  sequences. 

Matrix  H  is  built  in  the  following  manner: 


Inielleclual  Inirusion  Deiection  wilh  vSequcnces  Alignmenl  Meihods 


221 


H{iA))  =  0,  0<i<m 
H{0j)=0,0<  j<n 


0 


H(iJ)  =  max> 


//(/-/J)  +  (o(C,,-) 


I  <i<  m 
I  <j<  m 


(10) 


After  the  matrix  is  filed,  the  second  stage  of  the  algorithm  is  made.  To  obtain  the 
optimum  local  alignment,  the  stage  starts  with  the  highest  value  in  the  matrix  (ij). 
This  cell  is  marked  as  the  current  one.  The  next  current  cell  is  the  largest  between  the 
following:  and  In  ease  of  equity  between  cells,  priority  is  given 

to  bij.  The  process  continues  until  it  reaches  the  cell  with  zero  value,  or  the  cell  (0,0). 
After  that  the  alignment  is  constructed  as  next:  starting  with  the  last  current  cell,  the 
process  reaches  (iJ)  using  the  previously-calculated  path.  A  diagonal  jump  implies  an 
alignment  (either  a  match  or  a  mismatch).  A  top-down  jump  implies  a  deletion.  A 
left-right  jump  implies  an  in.sertion. 

The  complexity  of  this  algorithm  is  estimated  as 

3.2  Needlenian-Wunsch  Algorithm 

The  Needleman-Wunsch  algorithm  has  few  differences  from  local  alignment  algo¬ 
rithm.  As  in  the  Smith-Waterman  algorithm,  there  are  two  sequences  on  input: 
a  =  «C,/,C;2  -  Qm»  itnd  h  =  «C/,/.C/,2.  •  and  the  similarity  function 

>  Z  •  One  of  the  differences  from  the  Smith- Waterman  algorithm  is  a 
constant  d,  which  defines  a  penally.  The  similarity  function  K  is  defined  as: 


l={) 


(ID 


Where  f,((i,h)  is: 


lUi.h) 


I  =-)v{h,  =-) 


(12) 


This  algorithm  is  also  consists  of  two  stages. 

First  of  all,  the  similarity  matrix  S  of  size  m+l  on  n-\-\,  where  m  and  n  are  lengths 
of  corresponding  sequences,  is  filled.  The  elements  .v,.oand  are  filled  with  values 
i*d  H  j*d,  correspondingly.  Other  elements  of  S  are  calculated  in  the  following 


manner: 


222 


Y.A.  Markov  and  M.O.  Kalinin 


0 

F(/-/J-l)  +  co(C„„CJ 


(i3) 


F(i-\J)  +  d 
F{iJ  -J)  +  d 


\<i<  m 
1  <  j<m 


On  the  second  stage  the  current  element  is  set  to  the  bottom  right.  The  next  current 
element  has  to  be  chosen  according  to  the  following  conditions: 


(14) 


In  case  of  meeting  a  couple  or  more  conditions,  the  priority  is  given  to  the  most  top. 
The  process  is  kept  until  it  reaches  the  value  in  position  (0,0). 

The  complexity  of  this  algorithm  is  estimated  as  0(///*/i). 

4  Intellectual  Attack  Detection 

4.1  Detection  of  Attack  Mutations 

Let  take  a  look  on  signature-ba.sed  host-based  IDvS  and  presume  that  the  intruder’s 
target  is  the  attack  implementation  in  way  of  evasion  of  IDS.  Common  ways  of  it  are 
described  in  [5]. 

Trace  of  system  is  defined  by  SysteniTrace  =  «C/,  C?,  C?...C,v».  The  Mali- 
ciousTrace  =  «C’/,  C*:,  C*j...C\f»  is  a  trace  corresponding  to  the  attack.  The  problem 
of  mutation  detection  is  to  discover  in  SysteniTrace  the  traces  corresponding  to  the 
attack  mutation  equal  by  a  result  to  the  attack  implemented  by  MaliciousTrace. 

The  set  Seq  =  [Secfi,  0<i<P,  P<N]  is  built  in  the  following  way: 


(15) 


Seq^  =C,  ,C2...Cp 
Seq  2  =  C^,Cv..C/, 


The  elements  of  Seq  are  to  be  compared  with  MaliciousTrace.  Considering  that  M  « 
P,  the  best  algorithm  for  similarity  calculating  is  the  Smith-Waterman  algorithm.  As 
the  algorithm  output  there  is  a  value  R.  In  ease  of  its  exceeding  the  value  of  a 
threshold  it  will  be  considered  that  SysteniTrace  contains  the  mutation  of  attack 
implemented  by  MaliciousTrace.  The  choice  of  threshold  is  the  main  problem  of  this 
attack  detection  method. 


Intellectual  Intrusion  Detection  with  Sequences  Alignment  Methods 


223 


The  maximum  number  of  commands  in  the  mutated  attack  that  this  method  can  de¬ 
tect  is  P.  But  increase  of  P  causes  increase  method  working  time.  Each  alignment  is 
performed  at  OiP^M),  The  quantity  of  alignment  is  (N-P),  So  the  complexity  of 
method  is  estimated  at; 

OiP^M^iN^P))  =  OiP'^M^N-l^^M)) .  (16) 

Thus  P  must  be  too  big  enough  to  detect  a  long  attack  and  too  small  enough  to  satisfy 
the  performance  requirements.  For  the  purpose  of  normalization  it  is  suggested  to  use 
the  next  function  instead  of  R: 

pu..  LengMb)  (17) 

R~(bJ?)  Length(h') 

Where  b  is  MciHciousTrace,  a  is  the  elements  of  Seq  set,  //  is  a  MaliciousTnice  se¬ 
quence  after  alignment.  In  case  of  Riai,  oi)  >  I^ngth(af)  for  all  sequences  «/,  the 
definition  range  of  this  function  matches  the  interval  [0,1].  The  nearne.ss  to  null  in¬ 
creases  a  probability  of  fact  that  this  trace  contains  a  mutation  of  attack  implemented 
by  MaliciousTrace. 

Therefore,  the  .sequences  alignment  algorithms  can  be  used  for  attack  mutation 
detection. 

4.2  Anomaly  Detection 

The  method  of  system  calls  sequence  analysis  is  described  in  |6]  and  after  that  had 
some  extensions  in  number  of  works,  for  example  in  (7|,  [8].  Let  SystemTracc  de¬ 
notes  a  system  trace  corresponding  to  a  normal  behavior.  The  set  Seq  =  [Seq^,  0<i<P, 
P<N\  is  built  in  a  following  way: 

Se(],=C,,C2...C,,  (17) 

Seq  2  = 

Seq^  \ 

NonnDb  is  a  set  of  elements  Seq.  This  set  repre.sents  a  database  of  sequences  that 
correspond  to  normal  behavior. 

Compare  is  a  comparison  function  of  two  sequences: 

Compare:  SeqxSeq  [0,1 )  •  (18) 

The  condition  of  addition  the  sequence  Seqt,  to  a  NonnDb: 

Seqj^  6  NormDb<=>  ^Seq^  €  NormDbA  Seq/^  ^  Seq^  :  ^ 

CompareiSeqi^ ,  Seq^ )  =  0  • 

The  sequence  will  be  added  to  database  if  it  is  not  equal  to  any  sequence  in  a  database 
in  terms  of  defined  comparison  function. 


224 


Y.A.  Markov  and  M.O.  Kalinin 


We  suggest  using  the  Needleman-Wunsch  algorithm  and  /?’  function  as  a  compari¬ 
son  function.  The  sequence  is  added  to  database  in  case  of  application  of  alignment 
algorithm  to  any  this  sequence  and  any  sequence  from  a  database  the  will  be  less 
than  a  threshold.  The  size  of  the  database  will  be  thus  decrea.scd. 


5  The  Results 

For  the  testing  on  practice  the  UNIX  system  calls  traces  are  used.  The  testing  traces 
for  xiock,  sendmail  h  Ipr  programs  are  taken  from  University  of  New-Mexico  site  [9]. 
For  each  program  there  were  a  traces  corresponding  to  normal  behavior  and  attacks, 

5.1  Detection  of  Attack  Mutation 

Firstly,  it  is  necessary  to  define  a  to  function.  Author  of  work  [18]  made  an  analysis 
how  to  divide  the  system  calls  in  four  groups  from  an  IT  security  point  of  view.  The 
first  group  is  most  dangerous,  the  fourth  is  the  less.  Therefore,  the  (o  function  can  be 
defined  in  the  following  manner: 


3.C„=C,,C„€l 
2,C,  =Q,C,€lI 

O.C^  =c^,c^€  IV 

(),(C,=-)V(C,=-) 


(19) 


There  were  no  attacks  in  original  traces.  The  maximal  values  of  R  and  R’  were  defined 
for  each  trace  and  for  different  values  of  P.  Table  1  contains  the  lest  results. 

Table  1.  Results  in  case  of  normal  traces  without  attacks 


p  1 

! 

1 

time,  .sec 

xl(Krk  trace  of  length  31729,  buffer  overflow  attack  1 

ICK) 

7 

0.08478 

4,3 

400 

7 

0.08478 

8,9 

700 

10 

0.00057 

13,7 

1000 

10 

0.00057 

22,6 

xiock  trace  of  length  21182,  buffer  overflow  attack  2 

100 

7 

0.07825 

4,2 

400 

7 

0.07825 

8,8 

700 

7 

0.07825 

13,6 

10(K) 

7 

0.07825 

22,5 

xlcK'k  irace  of  length  20973,  buffer  overflow  attack  3 

100 

1 1 

0.12308 

4.2 

400 

1  1 

0.12308 

8,8 

700 

1 1 

0.12308 

13,6 

1000 

1  1 

0.12.308 

22,5 

sendmail  trace  of  length  3222 1 ,  sun.scndmailcp  attack 

100 

7 

0.12088 

1,3 

400 

9 

O.OKXll 

7 

700 

1  1 

0.00932 

14,2 

1000 

11 

0.00932 

21,6 

Intellectual  Intrusion  Detection  with  Sequences  Alignment  Methods 


225 


The  results  meet  the  theory.  As  there  are  no  attacks  in  the  trace,  R'  is  considerably 
le.ss  than  1.  The  method  working  time  grows  with  P  growing. 

Then  the  mutated  attacks  were  added  to  each  trace.  The  mutated  attack  was  ob¬ 
tained  from  common  ones  with  adding  3,  6,  12,  and  24  system  calls  that  don't  affect 
the  attack  goal  (results  are  in  table  2). 

Table  2.  Results  in  case  of  traces  with  attacks 


Number  of  cominand  added  to  common  attack  |  R  |  R’ 

xlock  trace  of  length  31729,  buffer  overflow  attack  I 

3 

17 

0.8 

6 

17 

0.667 

12 

17 

0.5 

24 

17 

0.333 

xlock  trace  of  length  2 1 1 82,  buffer  ovciilow  attack  2 

3 

17 

0.8 

6 

17 

0.667 

12 

17 

0.5 

24 

17 

0.333 

xkK'k  trace  of  length  20973,  buffer  overflow  attack  3 

3 

17 

0.8 

6 

17 

0.667 

12 

17 

0.5 

24 

17 

0.333 

sendmail  trace  of  length  32221.  sun.sendmailc 

p  attack 

3 

16 

0.8 

6 

16 

0.667 

12 

16 

0.5 

24 

16 

0.333 

It  is  seen  from  the  results  that  R'  values  for  normal  traces  and  traces  with  attacks  are 
considerably  different.  So  this  method  can  be  used  for  the  mutations  detection. 


5.2  Detection  of  Attack  Mutations 


The  o>  function  was  defined  in  a  lollowing  way: 


j  3,r„  =  r, 


(20) 


The  penalty  value  d  was  set  to  -1.  The  threshold  value  was  set  to  0,7.  The  diagrams 
presented  on  figure  1  were  built  for  different  values  of  P. 

The  figure  shows  that  the  .size  of  the  database  was  considerably  decreased.  After 
that  it  was  checked  that  decreasing  has  no  affect  on  the  detection  ability  of  primary 
method.  It  is  demonstrated  in  tables  3  and  4. 

Estimating  the  performance,  the  primary  method  is  better  because  time  of  common 
compari.son  is  proportional  to  P.  and  sequences  alignment  is  proportional  to  P^. 
For  the  decreased  size  of  the  database,  the  suggested  method  takes  1,5-2  times  less 
than  primary. 


Number  of  signetures  Number  of  signatures  Number  of  signatures 


226 


Y.A.  Markov  and  M.O.  Kalinin 


P  =  8 


P  =  10 


P  =  12 


—  Needleman-Wunsch  — Common 


Fig,  1,  Comparison  of  relations  between  database  size  and  system  calls  number 


Intellectual  Intrusion  Detect  ton  with  Sequences  Alignment  Methods 


227 


Tabic  3.  Comparison  of  anomaly  percentage  in  case  of  traces  without  attacks 


Anomaly  percentage  in 
nontial  trace 

II 

oo 

It 

c 

N  =  12 

N-W 

Common 

N-W 

Common 

N-W 

Common 

scndmail 

0,30 

0,32 

0,40 

0,84 

0,44 

0,52 

xlock 

0,1  1 

0,11 

0,03 

0,10 

0,03 

0,10 

JE£ _ 

0,38 

0.41 

0.41 

0,56 

0,35 

0,57 

Table  4,  Comparison  of  anomaly  percentage  in  case  of  traces  with  attacks 


Anomaly  percentage  in 
trace  with  attack 

N  =8 

N=  10 

N  =  12 

N  W 

Common 

N  W 

Common 

N-W 

Common 

sun  send  mailcp 

22.5 

20,7 

22,5 

20,7 

24,2 

24,2 

decode 

23,5 

23,5 

23.5 

19,9 

27,2 

26,1 

syslog- local 

30,7 

30,7 

30,7 

28.6 

32,3 

31,4 

syslog-remole 

39,8 

39,8 

41,6 

.39.8 

43,1 

42,2 

buffer  overilow  xltK'k  1 

42,0 

41,8 

44,2 

44,1 

48,4 

48,4 

buffer  overflow  xlock  2 

42.4 

42.0 

43,3 

43,0 

47,5 

47,4 

Iprcp 

32,4 

32.1 

34,5 

.34,4 

37,6 

.37,1 

The  suggested  method  is  thus  an  improvement  of  primary  because  it  dcteets  attacks 
with  the  same  effectiveness  and  uses  the  decreased  database. 

6  The  Related  Works 

There  are  a  few  works  related  to  the  sequences  alignment  algorithms  used  at  mali¬ 
cious  activity  detection. 

In  1 10]  the  sequenees  alignment  algorithms  are  reviewed  for  the  pattern  matehing. 
Approach  was  to  detect  a  masquerade  of  normal  u.ser  behavior  by  the  intruder.  Au¬ 
thors  got  some  positive  results  in  compari.son  to  other  algorithms  Hybrid  Markov  and 
IPAM.  In  [11]  the  sequences  alignment  was  suggested  to  generate  the  attack  signa¬ 
tures  for  the  purposes  of  detecting  polymorphic  attacks.  The  generation  is  focused  on 
the  .string  mode  so  it  is  considerably  different  from  the  method  suggested  in  our  work. 

In  [51,  the  method  of  attack  mutation  detection  was  proposed.  They  defined  a  set  of 
no-ops  calls.  The  suggested  approach  was  consisted  in  searching  any  sequence  that  is 
equal  to  attack  signature  after  deletion  no-ops. 

The  approach  suggested  in  our  paper  is  more  unified,  flexible  and  effective  than 
the  analyzed  techniques.  For  example,  if  there  is  a  system  with  two  diflercnt  com¬ 
mands  that  implement  the  similar  operation,  our  method  ean  detect  every  kind  of 
attack  mutations  which  were  obtained  through  the  command  replacing. 


228 


Y.A.  Markov  and  M.O.  Kalinin 


7  Conclusion 

The  paper  reviews  two  sequence  alignment  algorithms.  The  results  obtained  for  the 
first  method  showed  that  some  parameter  which  is  a  criterion  for  attack  detection  is 
considerably  different  between  normal  traces  and  traces  with  attacks.  It  means  that 
this  method  can  be  used  in  practice  for  mutated  attack  detection.  It  means  that  in  IDS 
one  signature  can  be  used  for  detection  of  multiple  attacks,  even  those  attacks  that  are 
likely  to  be  unknown.  Also  this  method  is  helpful  in  reducing  the  size  of  the  signature 
database  in  case  of  signature-based  IDS.  It  is  very  important  to  reduce  the  database, 
because  a  number  of  attacks  grows  exponentially. 

The  future  work  has  the  objectives  to  investigate  the  use  of  sequences  alignment 
algorithms  to  detect  the  mutations  in  computer  viruses. 

The  results  obtained  for  the  second  algorithm  have  shown  that  comparing  it  to  pri¬ 
mary  slide  window  method  is  more  effective  in  memory  and  time  usage.  Ability  of 
attack  detection  is  not  changing  by  using  this  method.  It  is  also  important  that  this 
method  can  be  applied  to  any  anomaly-based  intrusion  detection  algorithm  that  uses 
any  kinds  of  sequences  to  build  behavior  profile. 


References 

1.  Harrison,  M.A.,  Ru/zo,  W.L.,  Ullman,  J.D.:  Protection  in  Operating  Systems.  Communi¬ 
cations  of  ACM  19(8),  461-471  (1976) 

2.  Needleman,  S.B.,  Wunsch,  C.D.:  A  general  method  applicable  to  the  search  for  similarities  in 
the  amino  acid  sequence  of  two  paileins.  Journal  of  Molecular  Biology  48(3),  443-453  (1970) 

3.  Smith,  T.F.,  Waterman,  M.S.:  Identification  of  Common  Molecular  Subsequences.  Journal 
of  Molecular  Biology  147,  195-197  (1981) 

4.  Kruegel,  C.,  Mutz,  D.,  Valeur,  F.,  Vigna,  G.:  On  the  Detection  of  Anomalous  System  Call 
Arguments.  In:  Snekkenes,  E.,  Gollmann,  D.  (eds.)  ESORICS  2003.  LNCS,  vol.  2808, 
pp.  326-343.  Springer,  Heidelberg  (2(X)3) 

5.  Wagner,  D.,  Soto,  P.:  Mimicry  attacks  on  host-based  intrusion  detection  systems*.  In:  Pro¬ 
ceedings  of  the  9th  ACM  Conference  on  Computer  and  Communications  Security, 
pp.  255-264.  ACM  Press,  New  York  (2002) 

6.  Forre.st,  S.,  Hofmeyr.  S.A.,  Somayaji,  A.,  Longstaff,  T.A.:  A  sense  of  self  for  unix  proc¬ 
esses.  In:  Proceedings  of  the  1996  IEEE  Symposium  on  Security  and  Privacy, 
pp.  120-128.  IEEE  Computer  Society  Press,  Los  Alamitos  (1996) 

7.  Data  Mining  Approaches  for  Inlnision  Detection, 

http: / /wwwl . cs . Columbia . edu/'-sal/hpapers/USENIX/usenix . html 

8.  Leon,  E.,  Nasraoui,  O.,  Gomez,  J.:  Network  Intrusion  Detection  Using  Genetic  Clustering. 
In:  Deb,  K.,  et  al.  (eds.)  GECCO  2004.  LNCS,  vol.  3103,  pp.  1312-1313.  Springer, 
Heidelberg  (2(X)4) 

9.  Computer  Immune  Systems, 

http:  /  /WWW.  cs  .unm.  edu/'-immsec/systemcalls  .htm 

10.  Coull,  S.E.,  Branch,  J.W.,  Szymanski,  B.K.,  Breimer,  E.:  Intrusion  Detection:  A  Bioinfor¬ 
matics  Approach.  In:  Proceedings  of  19th  Annual  Computer  Security  Applications  Confer¬ 
ence,  pp.  24-33.  IEEE  Computer  Society,  Los  Alamitos  (2(X)3) 

11.  Li,  N.,  Xia,  C.,  Yang,  Y.,  Wang,  H.:  An  Algorithm  for  Generation  of  Attack  Signatures 
Based  on  Sequences  Alignment.  In:  Proceedings  of  CSSE,  vol.  3,  pp.  964-969.  IEEE 
Computer  Society,  Los  Alamitos  (2008) 


Symptoms-Based  Detection  of  Bot  Processes 


•lose  Aiulro  Morales',  l^rlian  Kartaltepe' .  Shonhnai  Xu'''',  and  Ravi  Sandlin' 


'  Institiito  for  Cyber  Seeiirity,  University  of  Texas  at  San  Antonio 
{ jose . morales , erhan . kartaltepe , ravi . sandhu}Qutsa. edu 
^  Department  of  Computer  Science,  University  of  Texas  at  San  Antonio 

shxuQcs . utsa. edu 


Abstract.  Botiu'ts  have  become  the  most  powerful  tool  for  attackers 
to  victimize  coimtless  users  across  cybcrspac(\  Previous  work  on  l)otnet 
detect  ion  has  mainly  foenseti  on  identifying  infected  bot  computers  or  IP 
addresses  and  not  on  identifying  bot  processes  on  a  host  machiiu'.  This 
paper  aims  to  fd  1  this  gap  by  presenting  a  bot  process  detection  technique 
bas(‘d  on  proec'ss  symptoms  such  as:  TC'P  connection  attempts.  DNS  ac  ¬ 
tivities,  digital  signatures,  nnanthorized  process  tampering,  and  process 
hiding.  We  partition  symptoms  into  sets  which  are  input  into  classifiers 
gc'iierating  individual  detection  models  which  are  later  appropriately  iii- 
tc'grated  so  as  to  improve  the  detection  accuracy.  The  integrated  ap¬ 
proach  correctly  idc'iit  ifu'd  two  bot  processes  and  did  not  pi odnecsi  any 
false  positives  and  false  negatives. 

Keywords:  Bolm't  dettvtion,  bot  process.  pro(e.s.s  symptom,  behaviov- 
ba.s('d  detection,  symptom- based  detection. 


1  Introduction 

Botnets  are  an  effective'  tool  in  spam  distribution,  dcaiial  of  service  attacks,  illegal 
content  liostiiig  and  otlu'r  malicious  acts.  By  leasing  botnets,  malware  authors 
have  successfully  impU'iiieiited  i)rofitable  business  models.  These  dynamie  striie- 
tiirc'S  coiisi.st  of  sevc'val  infected  host  macliiiies  (hots)  niimiiig  tlu'  bot  software’ 
and  re.spemeliiig  to  the  bf)t  maste'r  s  instruct ie^iis.  Previous  weak  on  dete'ctioii  has 
mainly  fe)ciisod  eai  the  ielentificatieiii  of  infect  eel  hot  macliiiies  or  IP  addrc'sse's, 
and  ne)t  the'  actual  beit  proex'ss  e'xee  iiting  on  the  iiifen  teel  iiiacliiiie.  Idiis  research 
pre'sents  three  sets  of  jireieess-ba.sed  symptoms  elrawn  from  kiienvii  bot  sample's 
bot  iK'twork  ac  tivity  behavie)r,  unreliable  i^rovciiaiiee  aiiel  stealth  mechanisms 
that  are  integrated  togc'tlier  to  detect  bot  jirocc’ssc's  on  a  heist  mae  hine.  Spe'cif- 
ically,  wc'  make  the  following  cenitrihntioiis: 

Tlie  preKC's.s-basc'd  identification  of  (1)  Bot  iK’twork  activity  beliavior:  faik'd 
TCP  eeiimection  attempts,  DNS  and  reverse  DNS  cpieries;  (2)  Procc^ss  provc'- 
iiaiice:  ii.siiig  .static  file  image  digital  signature  verification  and  procc'ss/fik' 
syste'iii  tamper  ing;  (3)  Ste'aUli  iiR'chanisms:  using  the  absence'  e)f  a  graphical 
iisc'r  interface  and  no  recpiired  iisc'r  input  to  execute. 


I.  Kotniko  and  V,  Skormin  (Fats.):  XIMM-AC-NS  2010,  L.NCS  0258,  pp.  220  241,  2010, 
©  Springer- V^'i  lag  Berlin  Heidelberg  2010 


230 


J.A.  Morales  et  al. 


—  A  formal  detection  model  based  on  a  non-trivial  )ise  of  established  data  min¬ 
ing  algorithms  (C4.5).  We  conducted  a  thorough  experiment  on  generating 
and  evaluating  detection  models.  Results  show  our  methodology  leads  to 
better  detection  accuracy  for  both  centralized  and  Peer-to-Peer  (P2P)  hots 
than  a  straightforward  use  of  established  data  mining  algorithms. 

In  both  centralized  and  P2P  structures,  a  bot  must  establish  a  ('omiection  to 
participate  in  the  botnet  possibly  producing  several  failed  comieetion  attempts. 
Dots  use  DNS  activity  to  reduce  failed  connection  attempts  which  may  instead 
produce  failed  DNS  activity.  In  general,  a  process  will  attempt  to  connect  to 
the  input  IP  achlress  of  a  successful  reverse  DNS  query  and  the  returned  IP 
address  of  a  successful  DNS  query,  concluding  the  address  is  active.  Our  experi¬ 
ments  reveal  a  counterintuitive  approach  that  some  bots  attem])t  eoimecting  to 
IP  addresses  regardless  of  DNS  activity  results:  IP  addresses  that  did  not  return 
a  reverse  DNS  record  are  connec  ted  to  successfully  and  IP  addres.scs  that  did 
return  a  reverse  DNS  record  failed  to  connect.  Upon  host  infection,  bot  activity 
may  manifest  in  one  or  more  currently  ruiiiiing  proce.s.ses.  Bot  processes  may 
lack  a  digital  signature,  or  may  have  been  tampered  with  by  a  proc(^ss  lacking  a 
digital  signature.  Bots  tyi)ically  execute  without  user  knowledge  by  implement¬ 
ing  stealth  mechanisms,  such  as  lacking  a  gra])hical  user  interface  (GUI),  not 
requiring  keyboard  and  mouse  input,  removing  itself  from  the  list  of  currently 
active  i)roce.sscs,  and  so  on  [16]. 

The  rest  of  the  paper  is  organized  as  follows:  Section  2  is  related  work,  Sec¬ 
tion  3  presents  our  bot  detection  methodology,  Section  4  describes  the  chosen 
.symptoms,  Sc'ction  5  details  the  experimentation,  n'siilts  and  limitations,  and 
Section  6  gives  our  conch isioii  and  future  work. 


2  Related  Work 

Network-based  research  analyzing  botnets  such  as  [7,2,12]  use  different  tech¬ 
niques  characterizing  breadth  and  depth  of  centralized  and  P2P  botnets,  types 
of  performed  malicious  activities,  botnet  structures,  intrinsic  events  in  the  bot¬ 
net  lif('  cycle  and  hiding  techniques.  Botnet  detection  research  su(*h  ris  [5, 6, 1,4, 8] 
primarily  analyze  network  traffic  using  destination  IP  addresses,  IRC  server 
names,  packet  content,  sequence  of  intrinsic  bot  events,  crowd  n'sponse  and 
spatial-temporal  relationships  in  their  detection  teclmicpies.  This  rt'sults  in  the 
identification  of  several  infected  host  machines  as  members  of  a  centralized  or 
P2P  botnet.  The  rc.scarch  pr(\sented  by  Zhu  ot.  al.  [18]  is  a  host-1  )<i.s(*d  detection 
technique  of  bots  i)riinarily  based  on  a  high  rate  of  failed  connection  attemj)ts. 
Connection  failure  rate's  of  known  bots  are  measured  against  benign  proc(*s.ses 
and  show  that  bots  can  be  identific'd  and  distinguished  from  benign  processes 
ba.sed  on  this  single  metric.  Only  measuring  failed  eoimection  attenii)ts  may  be 
most  effective  with  IP  addresses  of  dead  botnets,  di.scovered  botnets  and  i)ar- 
tially  ac  tive  botnets.  However,  a  single  metric  is  not  (uiough  to  dc'tc'ct  active  bots 
which  can  possibly  lead  to  the  production  of  false  negative's,  especially  with  bots 


SyiiiiJtoiiis- Based  Detection  of  Bot  Brocess<\s 


2M 


designed  to  limit  failed  connection  attempts.  Our  rc’searcli  us(»s  the  novel  ap- 
proacdi  of  analyzing  failed  coiiiK'ction  attemi)ts  in  relation  with  DNS  activity  as 
the  basis  of  our  bot  network  activity  behavior  symptoms,  along  with  symptoms 
for  unn'liable  provenance  and  stealth  mechanisms  facilitating  the  id(uit ificat ion 
of  several  metrics  of  snspi(‘ions  processes  producing  a  more  robust  detection  tech- 
iii(jue.  Establishing  relationships  between  observed  network  data  of  a  process  is 
noved  to  this  res(\ir<‘h  as  most  ndated  work  consideTC'd  observed  lU'twork  data 
ill  an  isolated  or  seejueutial  form.  Relating  together  different  observed  network 
behaviors  reveals  dependencies  bot  processes  have  on  various  network  servi(‘('s. 
Analyzing  these  dependenci(\s  faeilitates  deeper  understanding  of  bot  iKdiavior 
which  may  not  be  ai)preciable  in  isolated  or  se(inential  analysis  of  observed  net¬ 
work  data.  Onr  approaeh  eoinphineiits  these  two  forms  of  analysis  and  enhances 
niid(MStaiiding  by  adding  a  new  perspective  on  bot  behavior. 

3  Bot  Detection  Methodology 

Onr  modc'Ps  prcMiiise  is  that  l)ot  and  benign  processes  will  exhibit  differeiit  re(‘- 
ogiiizable  cliaractei ist ies  that  can  be  utilized  via  appropriatt'  algorithms.  Tlu' 
differcMices  may  be  characterizc'd  by  a  s(’t  of  attributes  maj)j)e(l  to  a  set  of  symp¬ 
toms.  l.et  ns  denote  by  A  the  universe  of  hot  proc(\ss  attribute's  and  by  P  a  {)ro- 
cess  currently  executing  on  a  host  machine  with  symptoms  Psymjn  .  •  •  ^\ytnp^  ^ 
with  r('sj)eet  to  A.  The  goal  is  to  determine  the  i)redicat('  Bot{P),  which  d('- 
tenihiies  if  P  is  a  bot.  true  iiu'ans  “yes'*  and  false  iiu'aiis  “no".  WV  want  to 
identify  a  fiiiKdion  f  that  (computes  Dot{P)  =  ^Psyynpi  •  •  P.^^ymp  We  can 
approximate'  the  nnkne)\vn  f  via  a  fmietioii  /.  A  straight fe)rwarel  e‘e)nstrne‘tie)ii 
e)f  /  we)iilel  be  output  e)f  an  establishe'el  elata  mining  algeirithm.  ele'iieite'el  as  /o. 
Such  /o  may  not  e)frer  the  ele\sire'd  eletection  ae  ciiracy.  inspiring  us  to  propose  the 
fe)}lowing  inethe)ele)]ogy:  We  can  af)i)re)priate’ly  (1)  j^artitioii  the'  attribute's  A  into 
multiple'  siibse'ts  ba.sed  on  eertaiii  domain  kneiwle'elgc.  (2)  generate  a  fiiiietioii  (f, 
corre'speinding  te)  the'  .syini)t()ms  with  respect  to  each  i)art  itie)n  ejf  attri])iites.  and 
(3)  eaeate*  fimclieni  /  base'el  on  ce)mpe)siiig  the*  iiieliviehial  fime't  ie)ns  e/,. 

Specifically,  w(‘  pre)pej,se  te)  partitie)ii  attributes  ba.se'el  e)n  the  following  'iife'- 
e*\ele"  pe'rsi)e'e-tive*  e)f  be)t  proec'.sse's:  A\,  hot  process  network  aeiiviiy  behavion 
A2,  hoi  process  provenance:  A3,  hot  process  stealth  7nerlianrsn}s.  With  respect 
to  A},  we'  lie)j)e'  te)  appioximate  the  pre'eliecite  B{P).  which  iiielicatf's  if  P  is  e'x- 
hibitiiig  hot  netwe)rk  activity  hehavie)r  via  a  fiinctie)n  e/i.  With  iTspe^et  te)  A2. 
we  he)|)e  to  approximate'  the  predicate  lf{P),  which  iiielie^atc's  if  P  has  a  imre'li- 
able  prove'iiaiice  via  a  fiiiietion  //2.  With  resi)e'ct  te)  A3,  we  hope  to  aj>proximate 
the  preelieate  S{P),  which  iiielicates  if  P  Inus  e'liiployed  stealth  inechanisins  via 
spe'cific  known  te'ediiuepie.s  via  a  function  e/3.  I'he  desireel  fimetion  /  (‘an  be'  con¬ 
structed  using  e/i,  p2  Oa  with  flexible  use*  of  data  mining  te'clmiepies  coupled 
with  expe'it  kiiowk'dge.  We  partition  the  hot  proce'ss  syiiiptoius  into  three  sub¬ 
sets  wlu're'  a  .symptom  repivseiits  an  occurred  e'xeciition  eve'iit  or  a  prope'rty  that 
is  prese'iit  during  the  life  cye  le  of  a  bot  proc('.ss. 

Approximating  the  predicate  B{P)  with  function  y\{P).  Intuitively,  (/i(/’) 
analyzes  network  aedivity  of  a  process  P  with  a  set  of  .symptoni.s  determining  if  P 


232 


J.A.  Morales  et  al. 


is  exhibiting  similar  network  activity  of  known  hots.  The  set  of  symptoms  Dgym 
consist  of  n  >  1  symptoms  where  each  bg  describes  a  symptom  of  network  activity 
previously  observed  in  a  known  bot  sample.  P^ai  ^^'t  of  in  responses  0  from  a 
process  P  which  forms  a  one-toone  mapping  with  each  bg  in  P^ym  ^nd  is  used  to 
determine  if  B{P)  is  true  or  false.  The  values  of  Or  are  aequired  by  analyzing 
the  network  activity  behavior  of  a  process  P  during  execution.  The  function  g\  {P) 
returns  true  if  and  only  if  there  exists  a  value  Pr  with  Or  =  true  corresponding  to 
a  symptom  bg  in  Dgymy  thus  we  have: 


P.syin  —  {6]  .  .  .  6,5  .  .  .  bjf  } ,  Pval  —  {Pl  •  0i  .  .  .  Pr  Or  ••  •  Pm  •  } 

B{P)  =  9i{P)  =  true  <=>  ^bg.pr  :  (.s*  =  r  AOr  =  true)  (1) 

When  Or  =  true,  P  exhibited  the  described  network  activity  of  symptom  65.  If  all 
Or  evaluate  to  false,  then  P  does  not  exhibit  bot  behavior  and  yi{P)  ~  false; 
but  if  just  one  Or  evaluates  to  true  then  P  has  the  specific  symptom  bg  and  gi{P)  = 
true. 

Approximating  the  predicate  U{P)  with  function  <72 (^)-  Intuitively,  g2{P) 
compares  origin  information  of  a  given  process  P  with  a  set  of  symptoms  Ug  G 
Psym  deciding  if  the  process’s  provenance  is  reliable.  This  predicate  asks  the  (pies- 
tion:  has  the  origin  of  proeess  P  been  malevolently  tampered  or  creatc'd  making  it 
unreliable?  A  response  of  true  indicates  it  is  not  reliable;  false  indicates  it  is.  The 
symptoms  are  a  list  Ui  . . .  . . .  Un,  n  >  1  submitted  to  a  process  P  which  returns 

a  set  of  values  Pvai^  . .  .p,  . .  .pm^  ^nd  compared  with  Ugym-  Each  symi)toin  iig 
precisely  states  a  singular  scenario  of  process  unreliability  previously  observed  in 
a  known  bot  sample  which  tami)ered  or  created  another  process  in  a  malevolent 
manner.  Each  result  pr  G  Pvai  contains  an  answerer  =  true  or  false,  which  cor¬ 
responds  to  the  claim  Ug  G  Ugym-  The  function  g2{P)  will  return  true  if  and  only 
if  an  answer  of  a  result  pr  G  Pval  is  true,  thus  we  have: 


P sym  —  {^1  ■  ■  ■  lig  .  .  .  ILjx }  i  P val  —  {Pl  •  •  •  •  Pr  ■  •  Pm  *•  ^rn  } 

P{P)  —  g2{P)  =  true  3?/.s,Pr  :  (s  =  r  =  true)  (2) 

If  Pral  returns  all  false  answers  then  it  is  reliable  and  gziP)  =  false;  if  just 
one  pr  G  Pval  lias  a  value  =  true,  then  P's  provenance  is  not  reliable  and 
02{P)  =  true. 

Approximating  the  predicate  S{P)  with  function  g^{P).  Intuitively,  g‘s{P) 
determines  if  a  process  P  is  implementing  stealth  mechaiiisms  previously  observed 
in  a  known  bot  sample.  The  set  of  symptoms  Sgym  cf>usist  of  7i  >  1  symptoms 
Si ...,Ss,..,sv  where  eaeh  Hg  describes  a  specific  stealtli  meehanisiii  previously  ob¬ 
served  in  a  known  bot  sample.  P^ai  is  a  set  of  in  Responses  from  a  i>rocess  P 
wliK-li  forms  a  one-to-one  mapping  with  each  Sg  in  Sgym  and  is  used  to  determine  if 
S{P)  is  true  or  false,  pr  values  are  acquired  by  analyzing  the  execution  behavior 
of  process  P  for  the  po.ssible  use  of  known  stealth  mechanisms.  The  function  g^iP) 


Symptoms- Erased  Detection  of  I3ot  Processes 


233 


rotiiriis  true  if  and  only  if  there  exists  a  vahie  with  //,  ~  true  eorrespoiiding 
to  a  syiiiptoni  .s.s  €  Ssym,  thus  we  have: 

^syni  ~  {•‘'I  •  •  ■  '^.s  •  ■  •  ^'n  } '  ^ vnl  —  {Pl  '•  f^  \  •  •  ■  Pr  •  pr  ■  •  ■  ]hri  ’•  Pm  } 

S{P)  =  =  true  <=>  3.s\s,Pr  :  {s  =  r  A  fir  =  true)  (3) 

The  implication  of//,.  =  true  is  that  P  exhibited  the  specific  known  stealth  inecli- 
anisin  descriE)ed  in  syniptoin  .s,,.  If  all  //^  evaluate  to  false,  then  P  does  not  ex¬ 
hibit  known  stealth  inechaiiisins  and  g:i{P)  —  false;  but  if  just  one  //,.  evahiat/'s 
to  true  then  P  has  the  specifie  syinptoiii  .s.s  and  g^{P)  ~  true. 

Approximating  the  predicate  f  with  function  /  based  on  functions  fyi, 
g2  and  g:\.  We  approximate  f  via  a  fimetioii  /  by  utilizing  g\.  g2  and  g:\.  Three 
example  definitions  to  determine  13()t{P)  are: 

/i(/^)  =  g\{P)  V  {g2{P)  A  g:^{P)).  This  is  the  least  restrictive,  since  a  process  is 
deemed  a  bot  when  it  exhibits  bot  network  activity  behavior  or  has  both  an  un¬ 
reliable  provenance  and  luus  stealth  niechanisms.  False  positive's  can  be  prod  need 
by  benign  processes  with  an  instance  of  bot  network  activity  behavior  such  as  a 
proce.ss  with  a  successful  coniu'ction  attempt  to  the  input  IP  addr(\s.s  of  a  failed 
reverse  DNS  (piery. 

f2(P)  =  g\(P)  A  {g'2{P)  V  g:i{P)).  This  is  more  restrictive,  the  and  (A)  o{)era- 
tor  requires  ci  process  to  exhibit  bot  behavior  and  either  unreliable  provenance  or 
stealth  mechanisms.  This  will  foeus  detection  more  on  processes  with  bot-like  1k'- 
havior.  False  positives  can  arise*  with  benign  processes  lacking  a  digital  signature, 
thereby  giving  them  unreliable  provenance,  while  having  an  instance  of  bot  net¬ 
work  activity  behavior  such  as  a  failed  connection  attempt  to  the  input  IP  address 
of  a  successful  reverse  DNS  (}uery.  This  definition  excludes  possible  det(‘ction  of 
bots  that  possess  unreliable  provenance*  and/or  stealth  me'chanisms  but  de)  not 
she)w^  be)t  iK*tw'e)rk  activity  behavior. 

h{P)  =  gii^)  A  g2{f^)  A  e/s(P).  This  is  the  ine)st  r(*strie*tive  with  the  and  (A) 
ope'rate)rs  reepiiring  trijde  analysis  with  each  conipe)nent  returning  true.  A  pro¬ 
cess's  is  de‘eme*el  a  bot  whe‘n  it  exhibits  bot  netw'ork  activity  behavior,  nnre*liable' 
provenance  and  stealth  niechanisms.  This  detection  has  the  highe'st  probability  of 
idenitifying  malie  ioiis  bots.  anel  excluding  benign  proe*e*sse*s.  A  proce's.s  with  an  un¬ 
reliable*  jaovenaiice  or  exhibiting  bot  behavior  or  ste*alth  me*chanisnis  is  assnm(*el 
benign  which  could  produce  a  false  ne*gative. 

4  Symptoms  of  Bot  Processes 

Bot  Beliavior  Symptoms.  Evaluating  a  process's  be)t  ne'twork  activitv'  behavior 
emplovvd  three  symptoms  in  .set  All  the  symptoms  were  bcised  on  a  proerss 

P,  on  a  local  maehine,  interacting  with  and  re*sponding  to  TCP  protocol  coimec'- 
tion  attempts  and  DNS  activity  (DNS  qn(Tic*s  and  reverse  DNS  eineric's). 
b\:  Failed  connection  attempt  to  tlie  returned  IP  address  of  a  success¬ 
ful  DNS  query.  This  is  considered  abnormal  behavior;  a  successful  DNS  query 


234 


J.A.  Morales  et  al. 


suggests  the  retiirnod  IP  address  is  active  and  can  establish  connections.  Many  of 
these  IP  addresses  failing  to  connect  were  also  the  inj^iit  IP  of  a  failed  reverse  DNS 
query. 

62:  IP  address  in  a  successful  DNS  activity  and  connection.  This  is  con¬ 
sidered  normal  beliavior.  A  DNS  activity  can  be  either  a  DNS  cjiiery  or  a  reverse 
DNS  cillery.  More  precisely,  we  consider  the  returned  IP  address  of  a  successful 
DNS  query  or  the  input  IP  address  of  a  successful  reverse  DNS  query  which  is  also 
used  in  a  successful  connection.  In  our  analysis  several  more  bots  than  benign  j)ro- 
cesses  connected  to  such  IP  addresses.  This  further  implies  the  dependency  bots 
have  on  DNS  activity  when  attenij^ting  connections  to  remote  hosts. 

63:  Connection  attempt  to  the  input  IP  address  of  a  failed  reverse  DNS 
query.  This  is  considered  abnormal  behavior;  an  IP  address  failing  a  reverse  DNS 
query  should  be  presumed  inactive  and  should  not  be  used  in  a  connection  at- 
tem])t.  Almost  all  analyzed  bot  samples  performed  reverse  DNS  queries  j)ossibly 
to  harvest  new  domain  names  of  malware  servers  or  infected  hosts.  Some  l)ots 
failed  to  connect  with  the  input  IP  addresses  of  a  successful  reverse  DNS  query 
and  other  bots  successfully  connected  to  input  IP  addresses  of  a  failed  reverse 
DNS  query.  This  counterintuitive  use  of  input  IP  addresses  used  in  failed  reverse 
DNS  requests  implies  bots  attempt  TCP  connections  with  IP  addresses  regard¬ 
less  of  DNS  activity  results  for  reasons  other  than  TCP  connection  attempts.  One 
possible  motivation  may  be  the  reverse  DNS  query  is  used  solely  to  dynamically 
acq\iirc  during  execution  new  IP  addresses  or  domain  names  of  malware  servers, 
redirection  servers  or  newly  infected  victim  machines.  This  helps  bots  by  having 
to  store  fewer  IP  address/doniain  name  pairs  in  their  static  file  images  prior  to 
initial  execution;  thereby  making  it  harder  for  security  personnel  to  predetermine 
the  structure  and  components  of  a  botnet  just  through  static  file  image  analysis. 
Unreliable  Provenance  Symptoms.  Determining  the  provenance  of  a  i)rocess 
employed  three  symi^toins  in  set  Usym-  Selection  of  these  symptoms  were  based 
on  verifying  the  existence  of  a  static  file  image’s  digital  signature  for  known  bot 
and  benign  files,  files  of  bot’s  parent  process,  and  analyzing  jn  ocess  memory  for 
nnauthorized  modification  by  some  other  i)rocess  primarily  through  dynamic  code 
injection.  The  absence  of  a  digital  signature  in  a  file  or  the  parent  file  that  created 
it  raises  siisj^icion  due  to  its  unknown  origin.  All  of  our  bots  and  a  few  benign  static 
file  images  lacked  a  digital  signature.  Most  of  the  static  file  images  of  benign  soft¬ 
ware  installers  were  digitally  sigiu'd.  Dynamic  code  injection,  mostly  a  malevolent 
technique  coercing  a  process  into  unauthorized  behavior  [16,15],  is  frequently  used 
by  our  analyzed  bots  on  benign  processes  which  then  exhibit  bot  behavior. 

Mi:  Standalone  executable’s  static  file  image  does  not  have  a  digital  sig¬ 
nature.  A  standalone  executable  file  is  written  directly  to  the  file  system  with¬ 
out  an  installer.  Malware  contained  in  email  attachments,  website  downloads  and 
portable  memory  infect  a  system  this  way  [16|.  The  majority  of  the  analyzed  be¬ 
nign  standalone  executables  had  digital  signatures.  All  of  our  standalone  bot  sam¬ 
ples  lacked  a  digital  signature. 

M2:  Dynamic  code  injector’s  static  file  image  does  not  have  a  digital  sig¬ 
nature.  Dynamic  code  injection  is  used  by  bots  to  infect  legitimate  processes 


Syinj)toius-Basecl  Dotoct  ron  of  Bot  Processes 


235 


(1  ().3] .  There  are  benevolent  uses  for  this,  such  as  debugginj^  and  (h'tection  of  suspi¬ 
cious  activity  wliero  tlie  injector's  static  file  image  almost  always  contains  a  digital 
signature.  Bot  injectors  typically  do  not  have  digital  signatures.  A  proc  ess  whose 
injector  lacks  a  digital  signature  is  identified  as  having  an  unreliable  provc'iiancc* 
since  the  iiijc'ctor’s  origin  cannot  be  established. 

Creator  of  process’s  static  file  image  docs  not  have  a  digital  signa¬ 
ture.  Bots  will  self-replicate  or  install  other  malware  on  a  system  [16].  The  newly 
cremated  malware  may  or  may  not  have  a  digital  signature  but  the  malware  installer 
will  likely  lack  a  digital  signatnn*,  which  is  considered  unreliable  provenaiue.  An 
installed  file  lacking  a  digital  signature  with  its  installer  having  a  digital  signature 
is  ( onsidored  to  have  a  reliable  provcuiance. 

Stealth  Mechanism  Symptoms.  Evaluating  a  process’s  stealth  niechaiiisins 
employed  two  symptoms  in  set  Ssym^  <dl  based  on  a  process  P’s  use  of  graphical 
user  interfaces  (GUI)  along  with  rc'ading  keyboard  and  mouse  inputs. 

si:  Graphical  user  interface.  A  vast  amount  of  benign  software  interact  with 
the  user  \  ia  a  GUI.  Bots  typically  do  not  use  a  GUI  since  it  calls  attention  to  their 
(wistence  and  may  result  in  their  termination  [!()].  A  process  executing  without  a 
GIT  is  considered  to  have  a  stealth  inecliaiiism. 

S2:  Human  computer  interface.  A  iKUiign  program  may  recpiire  user  input  to 
execute  an  operation;  this  is  typical  interaction  between  application  and  us('r.  Bots 
tend  to  execute  their  nefarious  acts  without  the  ue('d  of  explicit  user  input.  A  pro- 
cc'ss  execaiting  without  reading  keyboard  or  mouse  events  is  considered  to  have  a 
st(*alth  mechanism. 


5  Experiment  and  Results 

Data  Collection  and  Instrumentation.  Bot  data  collection  was  done  using 
VMVV^an'  Workstation  rimuiiig  Microsoft  Windows  XP  SP2  with  no  npdaU's  and 
110  antivirus.  Four  active  bots:  virut,  waledac,  wopla.  bobax.  and  five  inactive 
bots:  nugache,  wootbot,  gobot,  spybot.  storm,  were  exec  uted  for  a  twelve  hour 
l)oriod.  These  centralized  and  P2P  bots  possess  different  stealth  inechanisins.  di¬ 
verse  (‘ommand  and  control  channels,  various  packet  eiuTyption  and  self  nj)dat(\s. 
Packets  were  captured  using  Windows  Network  Monitor.  Detecting  dynamic  code 
injection  and  Bot  replication  was  accomplislKHl  with  a  real  time  monitor  imple¬ 
menting  known  techniques  [15.11].  Digital  signature  verification  of  static  file  im¬ 
ages  was  done  using  Sigcheck  [14].  An  enhanced  version  of  GlobalHook  [10]  was 
n.sed  to  collect  keyboard  and  mouse  input,  GUI  presence  was  recorded  using 
EasyHook  [9].  Collecting  data  of  known  benign  processes  was  performed  on  two 
v('rified  malware-free  desktops  running  Windows  XP  SP2  for  twelve  hours  during 
which  both  machines  performed  several  network-based  activities  including  web 
browsing.  FTP,  instant  messaging,  P2P  file  sharing  and  software  updates.  I'he  col- 
k'ction,  with  20  bot  processes  and  62  benign  processes  (41  different  applications 
with  some  being  tested  multiple  times)  listed  in  Table  1 ,  produced  a  diversity  of 
symptom  combinations.  In  Fable  1.  most  of  the  symptoms  have  {Y('s,No}  values 


236  J.A.  Morales  et  al. 


Table  1.  Bot  and  Benign  Processes  Used  in  the  Training  Set 


Bot  Processes 

Bot 

Process 

Bot  Network 

Unreliable 

Stealth 

Name 

Name 

Activity  Behavior 

Provenance 

Behavior 

bi 

b2 

bs 

U\ 

U2 

U3 

■s'l 

S2 

Niigache 

mstc.exe 

Yes 

0 

Yes 

No 

Yes 

Yes 

No 

No 

Virut 

Svchost.exe 

Yes 

0 

Yes 

No 

Yes 

No 

No 

No 

Svchost.exe 

Yes 

0 

Yes 

No 

Yes 

No 

No 

No 

winlogoii.exe 

No 

2 

Yes 

No 

Yes 

No 

No 

No 

svchost.exe 

No 

1 

Yes 

No 

Yes 

No 

No 

No 

svchost.exe 

No 

0 

Yes 

No 

Yes 

No 

No 

No 

svchost.exe 

No 

0 

Yes 

No 

Yes 

No 

No 

No 

svchost.exe 

No 

2 

Yes 

No 

Yes 

No 

No 

No 

Waled  ac 

Save.exe 

Yes 

123 

Yes 

Yes 

No 

No 

No 

No 

Wop  la 

RimdI132.exe 

Yes 

1 

Yes 

No 

Yes 

No 

No 

No 

Bohax 

Explorer.exe 

No 

2 

No 

No 

Yes 

No 

No 

No 

Wootbot 

videosd32.exe 

Yes 

0 

No 

No 

Yes 

Yes 

No 

No 

Gobot 

Gobot-o.exe 

Yes 

0 

Yes 

Yes 

No 

No 

No 

No 

Spy  bot 

wuaghqr.exe 

Yes 

0 

No 

No 

Yes 

Yes 

No 

No 

Storm 

testdIU.dll 

Yes 

0 

Yes 

Yes 

No 

No 

No 

No 

Bob^LX 

Explorer.exe 

Yes 

2 

Yes 

No 

Yes 

No 

No 

No 

Wopla 

Rundll32.exe 

No 

4 

Yes 

No 

Yes 

No 

No 

No 

W^aledac 

waledac.exe 

Yes 

7 

Yes 

Yes 

No 

No 

No 

No 

Virut 

winlogon.exe 

No 

2 

Ye.s 

No 

Yes 

No 

No 

No 

svchost.exe 

No 

2 

Yes 

No 

Yes 

No 

No 

No 

Benign  Processes 

360tray 

Flock 

Mercury 

Skype 

AOL  Explorer 

Fox  mail 

MS  Messenger 

Snarfer 

Avaiit 

Google  Chrome 

Msfeedssync 

stormliv 

Bittorrent 

googlepinyindaemori 

Mstc 

Svehost 

BlogBridge 

Internet  Explorer 

Opera 

Thin  Reader 

Btdna 

.Jusched 

Ppstream 

ThunderBird 

ccApp 

Kaspersky  AV 

RSS  Bandit 

WinSCP3 

Cnteftp32 

K-Meleon 

RSS  Owl 

wlconmi 

Explorer 

LimeWire 

Rundll32 

whnail 

Feed  Reader 

Maxthon 

SeaMonkey 

Xdict 

Firefox 

with  Yes  true  and  No  false,  except  in  Si  and  .S2  where  Yes  false  and 
No  ►  true.  Symptom  62  is  considered  normal  behavior  and  presented  as  a  total 
occurrence  amoinit.  Test  data  was  collected  using  five  laptops,  with  minimal  secu¬ 
rity  and  no  recent  malware  scans,  for  eight  to  twelve  hours.  A  post-test  data  col¬ 
lection  malware  scan  of  all  five  laptoj)s  revealed  two  bot  processes:  servwin.  exe 
as  the  cutwail  bot  which  was  not  part  of  the  training  s('t,  and  TMP94.tmp  as  the 
Virut  bot  The  test  set,  listed  in  Table  2  consisted  of  3 1  processes  including  two  bot 


Syniptoius-BaMHl  Detection  of  Bot  Processes  237 


Table  2.  Test  Set:  Decision  Tree  and  Bot  Process  Predictions 


Process 

Bot  Network 

F 11  reliable 

Stealth 

Bot 

Name 

Activity  Behavior 

Proven an ee 

Beliavior 

Prediction 

hx 

62 

63 

B{P) 

Ui 

^2 

llA 

U(P) 

•si 

•S2 

S(P) 

/o 

/i 

h 

h 

svcliost.exc^ 

N 

0 

N 

F 

N 

N 

N 

F 

X 

N 

T 

F 

F 

y 

F 

googletalk.exe 

N 

2 

N 

F 

N 

N 

X 

F 

Y 

Y 

F 

F 

F 

F 

F 

firefox.exe 

N 

5 

N 

h' 

N 

N 

N 

1^^ 

Y 

Y 

F 

F 

y 

F 

F 

ciitftp32.exe 

1 

N 

T 

Y 

N 

N 

T 

N 

N 

F 

F 

T 

T 

F 

firefox.exe 

N 

44 

N 

F 

N 

N 

N 

F 

Y 

Y 

F 

F 

F 

F 

F 

svciiost.exe 

N 

0 

N 

y 

N 

N 

N 

F 

N 

N 

T 

F 

F 

F 

servwin.exe 

Y 

0 

Y 

\ 

Y 

N 

N 

'V 

N 

N 

1 

T 

r 

T 

hVaniework 

S<’r  vices.exe 

N 

1 

N 

F 

N 

N 

N 

y 

N 

N 

T 

V 

i‘^ 

F 

F 

iexpIore.exe 

N 

126 

N 

F 

Y 

N 

T 

Y 

Y 

y 

V 

F 

F 

F 

firefox.exe 

N 

49 

N 

F 

N 

Y 

N 

T 

Y 

Y 

F 

T 

F 

F 

F 

ruiidll32.exe 

N 

1 

N 

F 

N 

N 

N 

F 

N 

N 

T 

F 

F 

F 

F 

firefox.exe 

N 

67 

N 

F 

N 

N 

N 

F 

Y 

Y 

F 

F 

F 

F 

F 

firefox.exe 

N 

7 

N 

F 

N 

N 

N 

F 

Y 

Y 

F 

F 

F 

F 

F 

i(‘xpIore.exe 

N 

54 

N 

1* 

N 

N 

N 

F 

Y 

Y 

F 

F 

F 

1^ 

firefox.exe 

N 

45 

N 

F 

N 

N 

N 

F 

Y 

Y 

F 

F 

F 

F 

F 

firefox.exe 

N 

10 

N 

F 

N 

N 

N 

F 

Y 

Y 

F 

1^^ 

F 

F 

1^ 

SsIiC  ’lieiit.ex(‘ 

N 

1 

N 

F 

Y 

N 

N 

T 

Y 

Y 

F 

y 

F 

F 

F 

BitLord.exe 

Y 

1 

N 

T 

Y 

N 

N 

T 

N 

N 

F 

F 

T 

T 

F 

Acrobat  .exe 

N 

1 

N 

I' 

N 

N 

N 

y 

Y 

Y 

!• 

F 

y 

F 

y 

Tliimder5.exe 

Y 

13 

N 

T 

N 

N 

N 

F 

Y 

Y 

F 

F 

T 

F 

F 

Thunder 

Mini.site.exe 

N 

7 

N 

F 

N 

N 

N 

F 

Y 

Y 

F 

F 

F 

F 

F 

I'linnderb.t’xe 

Y 

24 

N 

T 

N 

N 

N 

F 

Y 

Y 

F 

F 

T 

F 

F 

\vinplayer.exe 

Y 

17 

N 

T 

N 

N 

N 

F 

Y 

Y 

F 

F 

T 

F 

F 

setup win.exe 

N 

I 

N 

F 

N 

N 

N 

1^ 

Y 

Y 

!’ 

!•' 

F 

F 

F 

clironie.exe 

N 

3 

N 

F 

N 

N 

N 

F 

Y 

Y 

F 

F 

F 

F 

F 

T\[P!)4.tnip 

N 

3 

Y 

T 

N 

Y 

N 

T 

N 

N 

T 

T 

T 

T 

T 

Cioogle 

rpdat(‘.exe 

N 

1 

N 

F 

N 

N 

N 

F 

X 

N 

T 

F 

F 

F 

F 

Cioogle 

Update.exe 

N 

1 

N 

F 

N 

N 

N 

N 

N 

r 

F 

y 

y 

chroiue.exe 

N 

28 

N 

y 

N 

N 

N 

y 

Y 

\' 

y 

F 

F 

F 

y 

Adobe. 

F 

F 

F 

F 

l^pdater.('xe 

N 

2 

N 

y 

N 

N 

N 

F 

Y 

Y 

y 

F 

F 

F 

F 

giip.exe 

N 

1 

N 

F 

N 

N 

N 

F 

Y 

Y 

y 

F 

F 

F 

F 

Tvanst.exe 

Y 

1 

N 

T 

Y 

N 

N 

T 

N 

N 

y 

F 

T 

T 

F 

nisfeeds 

svnc.exe 

N 

1 

N 

y 

N 

N 

N 

y 

N 

N 

r 

F 

F 

F 

F 

zclientin.exe 

N 

1 

N 

y 

N 

N 

N 

F 

N 

N 

T 

F 

F 

F 

F 

238 


J.A.  Morales  et  al. 


processes,  the  rest  were  assumed  benign.  One  of  the  bot  processes  and  several  of 
the  benign  in  the  test  set  were  not  part  of  the  training  set. 

J48  classification  decision  trees.  The  results  presented  here  arc  partially  based 
on  tlie  .148  decision  trees  [17]  in  Figure  1.  Running  tlie  training  sets  containing  bot 
behavior,  unreliable  provenance  and  stealth  mechanisms  individually  produc('d 
the  decision  trees  in  Figures  1(b),  1(c)  and  1(d).  Each  leaf  node,  shown  as  a  rect¬ 
angle,  represents  the  total  number  of  processes  classified  as  exhibiting  (=yes)  or 
not  exhibiting  (=no)  the  symptom  of  the  leaf  node’s  parent.  A  summation  of  the 
numeric  values  in  appropriate  leaf  nodes  gives  the  total  number  of  processes  wit  h  a 
(=yes)  or  (=no)  an.swc'r.  The  bot  network  activity  behavior  (F’cisiou  tree  in  Figure 
1(b)  produced  eight  true  resi)onses  with  the  test  set  data.  The  two  bot  processes 
were  amongst  the  eight;  six  false  positives  and  no  false  negatives  were  produced. 
The  unreliable  i^rovenance  decision  tree  in  Figure  1(c)  produced  eight  true  re¬ 
sponses  with  the  test  data.  The  two  bot  processes  were  amongst  the  eight;  six  false 
positive's  and  no  false  negatives  were  produced.  Five  processes  exhibited  unreli¬ 
able  })ro\'enaiice  symptom  i/i  and  three  ])rocesses  exhibited  unreliable  provenance 
syuiptoin  ^2.  Two  of  the  three  processes  with  symptom  U2  were'  purposely  injected 
(sec  paragraph  below  The  cases  of  /o,/i  ,/2  ^  /a)-  The  stealth  mechanisms  deci¬ 
sion  tree  in  Figure  1(d)  produced  ten  true  responses  with  the  t('st  data.  TIk'  two 
bot  i)roces.ses  were  amongst  the  ten;  eight  false  positives  and  no  false  negatives 
were  produced.  The  high  ainoiiiit  is  a  result  of  having  many  system  and  software 
update  processes  in  the  test  set  that  are  known  to  run  without  a  GUI.  The  two  bot 
processes  had  no  GUI  which  is  assumed  implemented  as  part  of  a  larger  ste'alt  h 
strategy  [16]. 


(a)  all  symptoms 


(c)  unreliable  provenance 
(g2(P)) 


(b)  bot  behavior 

(gi(P)) 


(d)  stealth  mechanisms 
(g3(P)) 


Fig.  1,  .148  Det  ision  Trees  Used  in  /o,  /i,  /2  and  /a 


Synipt()ins-Bas(Ml  Detect  ion  of  Hot  Proc€\ss(‘s 


XV,) 

The  cases  of  /o?/n/2  ^  /a-  Evaluating  the  test  data  results  of  hot  behavior  B(P). 
iiiirehahle  provenance  U(P)  and  stealth  niechanisnis  S{P)  with  /(),/i.  /2,  and  f:\ 
are  listed  in  Table  2  along  with  final  hot  predictions.  The  ease  of  /o  is  a  siinpli.s- 
tic  use  of  the  J  18  elassifi(‘r.  Using  all  the  symptoms  to  analyze  the  training  set 
data  produced  the  decision  tr(‘e  in  FigUR*  1(a)  with  no  false  posit  ives  and  no  false' 
negatives.  Analyzing  the  test  set  data  with  this  decision  tree  produced  two  false' 
pe^sitive's  and  ne)  false  ne'gative's,  listed  in  Table  2.  RemoteDLL  [13]  is  a  l)eneve)le'nt 
utility  which  lacks  a  eligital  signature  that  loads  and  remove's  DLLs  fre)ni  a  pro- 
ce'ss.  In  our  te^st  .set,  i)roe‘e'Sse'S  iexplore.exe  aiiel  firefox.exe  were  purposely 
DLL  injee  te'd  using  Re'inote'DLL  proelue'ing  two  false  positive's  with  the'  ele'cisie)n 
tree  in  Figure'  1(a)  sinev  the  injector  had  ue)  digital  signature.  In  the  case'  e)f  /i, 
our  te'st  se't  proelne  ed  eight  true  re'spe)nses  inc  hieling  the'  two  kne)wn  hots,  leaning 
six  false  pe)sitive's  and  ne)  false  iK'gatives.  All  eight  exluhite'el  hot  he'havior  ine  luel- 
ing  the  twe)  hots  wdiich  were'  also  the'  e)nly  ones  exhibiting  nnre'liahle'  provenaue  e' 
and  stealth  mechanisins.  Hot  l)ehavie)r  was  highly  prevalent,  partly  due  te)  benign 
network  active  pre)cesses  e'xc'eait  iiig  ce)mbiuations  e)f  DNS  activity  with  ce)nne'ctie)u 
at  teunpts.  In  the  case'  e)f  onr  test  set  prodnceel  five'  true  re'sponscs  inchuling  the* 
two  kne)wn  hots,  with  tlire'c  false  positive's,  an  iin])rovemcnt  over  f\.  All  five  e'x- 
hibite'd  unreliable  pre)venancc  hut  only  the  twe)  l)e)ts  exhibitcel  ste'alth  me'chanisius 
as  well.  Only  the  be)ts  pe)ss('sse'd  aelelitional  .sympte)m.s.  hinting  more'  aexnrate  ])er- 
fe)rmancc  can  be  made  with  stronger  re\strictie)ns.  In  the  ca.se  of  fs,  e)ur  t('.st  set 
pre)ehic('el  only  two  true  respe)nse's:  e)ur  two  ehsce)vered  be)t  processes.  Perfe'ct  re'- 
snlts  were  yielele'el  by  f:\  suggesting  accurate  elete*ctie)n  with  minimal  false  positive's 
anel  false  negatives  may  be  achie  ved  with  high  r('strictie)u  e'liforceinent . 

Discussion.  Only  five  of  the  eight  .sympte)ms,  b\,  U  s'l ,  compose'd  the'  ele'- 

(‘ision  tre'e's  anel  were  iise'el  in  the  final  l)e)t  ])re'eliction.s.  Syinpte)m  .Sj  was  the  most 
dominant  with  thirte'e'ii  pie)cesse'.s  in  our  test  set  e'xe'cuting  withe)ut  GUI.  This  is 
not  surj)rising  as  several  te'sted  benign  ])re)cesse's  we're  syste'in  services  running  in 
the'  background.  Synii)te)ni  e)c‘currcel  e)fte'n  due  to  ])roce‘s.ses  failing  te)  (‘e)une'e  t 
with  the  re'tnriK'el  IP  aelelres.se)f  a  successful  DNS  eiue'iy.  Synipte)in  only  oe'curre'el 
in  the'  twe)  test  se*t  hots,  suggesting  that  a  well  ele'signeel  be'iiigii  application  will  ne)t 
atte'inpt  to  eoinu'ct  to  IP  addresses  involve'el  in  a  failc'el  re'verse  DNS  query  while' 
hots  attenii)t  conne'etie)ns  regardless  of  DNS  activity  re'sults.  Acce)rding  to  Tal)le  2. 
e)nly  the  be)t  processes  servwin .  exe  {cutwail  bat)  anel  TMP94 .  tmp  (  VinU  bot)  pos- 
se'sse'd  more  than  one'  be)t  behavie)r  symptom.  This  hints  te)  strong  dcpcnelencies 
e)n  DNS  activitie's  by  bots  and  higher  pre)bability  te)  atte'inpt  (X)imections  with 
aelelres.se's  involve'd  in  DNS  activities.  Sympteiin  iii  oceairre'el  often  eliie  to  our  te\st 
set  procc.sses  lacking  digital  signatures.  One  can  assume  that  a  iiortiein  of  benign 
applications  and  the  vast  majeirity  of  malware  will  laeT  a  digital  signature.  Fh)t  h 
symptoms  s\  and  .s‘2  i)recise'ly  matched  for  each  proe'f'ss  in  the'  test  set,  meaning 
('ve'ry  proerss  exeenting  with  a  GUI  also  reael  user  input  anel  eve'iy  t)roeess  withe)nt 
a  CJUl  did  not  ivael  any  user  input.  Ranking  from  least  effeetive'  to  most  effective' 
de  te'ction  proelnees:  /i,  /2,  /o,  /;i*  Even  though  /q  was  see*oiul  most  efTee'tive'  in  bot 
detection,  given  a  more  eli verse'  te'st  set  the  straightforw'ard  eonstruetion  of  /o  may 
not  be  .so  e'ffective.  as  slieiwn  by  einr  purposeful  inje'etioii  of  tw(3  proeesse's  ehiring 


240  J.A.  Morales  et  al. 


testing.  Detecting  the  most  devious  of  bots  may  be  best  achieved  with  /3  but  /2 
may  capture  a  broader  range  of  bots  possessing  less  symptoms.  A  combination  of 
the  restrictions  of  /2  and  /3  may  b('  Ix'st  suited  for  hot  detection  and  combining 
restrictions  of  /i  may  be  the  best  to  detect  other  non-bot  malware. 

Limitations.  IP  addresses  of  DNS  activity  not  used  in  a  connection  attempt  by  a 
captured  pro(‘ess  were  not  analyzed  since  we  could  not  reliably  map  specific  DNS 
activity  with  a  specific  i)rocess.  Only  \Vin32  processes  were  analyzed  while  kernel 
I)rocesses  were  not.  We  are  currently  developing  utilities  oliniinatiiig  tlu'se  limita¬ 
tions  allowing  their  inclusion  in  our  evaluations. 

6  Conclusion  and  Future  Work 

We  presented  in  this  research  a  symptoi ns- based  technique  for  detecting  bot  pro¬ 
cesses  using  three  distinct  user  defined  sets  of  symptoms  drawn  from  known  bot 
samples:  bot  network  activity  behavior,  unreliable  provenance  and  stealth  mech¬ 
anisms.  Through  a  non-trivial  use  of  ,148  classifier,  three  distinct  evaluations  were 
performed  correctly  identifying  two  bot  processes.  Bot  network  activity  behav¬ 
ior  syniptoins  were  based  on  failed  connection  attempts  and  DNS  activity;  prove¬ 
nance  symptoms  were  based  on  the  existence  of  digital  signatures  and  proccss/file 
system  tampering;  stealth  mechanisms  were  based  on  the  absence  of  a  GUI  and  no 
required  reading  of  user  input.  Several  of  the  chosen  symptoms  appeared  in  both 
benign  and  bot  processes,  bnt  the  bot  processes  showed  a  iiiiich  higher  (luantity 
and  diversity  of  symptoms.  Based  on  the  results,  the  strongest  restrictive  analy¬ 
sis  requiring  symptoms  of  all  three  sets  was  the  best  singular  detection  solution 
producing  no  false  positives  and  no  false  negatives.  In  dealing  with  future  bots 
and  other  non-bot  malware  combining  stronger  and  weaker  restrictions  may  Ix' 
a  desirable  detection  approach.  Future  work  includes  analyzing  kernel  mode  bots 
and  a  diverse  set  of  network  protocols,  as  well  as  a  kernel-based  n^al-time  monitor 
detecting  presence  of  l)ot  processes. 

Acknowledgments 

This  work  is  partially  supported  by  grants  from  AFOSR,  ONR,  AFOSR  MURI. 
and  the  State  of  Texas  Emerging  Technology  Fund. 


References 

1.  Collins,  M.P.,  Sliinieall,  T.J.,  Faber,  S.,  Janies,  J.,  Weaver,  R.,  De  Shoii,  M.,  Kadane, 
.1.:  Using  nncleanliness  to  predict  future  botnet  addresses.  In:  IMC  2007:  Proceed¬ 
ings  of  the  7th  ACM  SIGCOMM  Conference  on  Internet  Measiirenient,  pp.  93  104. 
ACM,  New  York  (2007) 

2.  Dagon,  D.,  Gu,  G.,  Lee,  C.P.,  Lee,  W.:  A  taxonomy  of  botnet  structures,  hi:  Com¬ 
puter  Security  Applications  Conference,  Annual,  pp.  323  339  (2007) 

3.  Filiol,  E.:  Computer  Viruses:  from  Theory  to  Applications.  IRIS  International  .series. 
Springer,  Heidelberg  (2005),  iSBN  2-287-23939-1 


Syinptoius-Basetl  Dott'ctiou  of  Dot  Procossx's 


2 II 


4  Goobol.  Holz,  T.:  Rislii:  identify  hot  coiitainiiiated  hosts  by  ire  iiicknaiiie  evalu¬ 
ation.  In:  IIotBots  2007:  Proceedings  of  the  First  Conference  on  First  Workshop  on 
Hot  Topics  in  Understanding  Fiotnets.  p.  8.  USENIX  Association,  Berkeley  (2007) 
5.  (in,  G.,  Perdisci,  R.,  Zhang,  Lee,  W.:  BotMiner:  Clustering  analysis  of  network 
traffic  for  |)rotocol-  and  stnictnn'-independent  botnet  detection.  In:  Proceedings  of 
the  1 7th  USENIX  Security  Syinposimn,  Security  2008  (2008) 

().  Gn,  CL,  Zhang,  .L.  Le(',  W.:  Bot.Sniff(*r:  Detecting  botiK't  (xnnniand  and  control  chan¬ 
nels  in  network  traffic.  In:  Proceedings  of  the  15th  Annual  Network  and  Distributed 
System  Security  Synij^osinin  (NDSS  2008)  (hebrnary  2008) 

7.  Ilolz,  T.,  Steiner,  M.,  Dahl,  F.,  I3iersack,  E.,  Ineiling.  F.:  Measurements  and  mitiga¬ 
tion  of  peer- to- peer- based  botnets:  a  case,  study  on  storm  worm.  In:  LI^^ET  2008:  Pro¬ 
ceedings  of  the  1st  Usenix  Workshop  on  Large-Scale  [Exploits  and  Emergent  Threats, 
pp.  I  9.  USENIX  Association,  Berkeley  (2008) 

8.  Hu.  X..  Knysz,  M..  Shin.  K.G.:  RI)-seeker:  Aiito-detection  of  redirection  botnets.  In: 
l()th  Annual  Network  and  Distributed  System  Security  Symposium  (2009) 

9.  Hnsse.  C.:  Easyhook  2.0,  http://www.codeplex.com/easyhook 

10.  Mamaladze,  (L:  Globalhook, 

http: //WWW . codeproject . com/KB/cs/globalhook. aspx 

11.  Morales,  .LA.,  Clarke,  P.J..  Deng.  Y.,  Kibria,  B.G.:  Identification  of  fih*  inh'cting 
virn.s(»s  through  detection  of  .self- reference  replication,  .lonrnal  in  C^oniputer  Virology 
Special  El  CAR  C’onfenmce  Invited  Paper  Issue  (2008) 

12.  Nazario,  J.,  Holz,  T.:  As  the  lu't  churns:  Fast-flnx  botnet  observations.  In:  3rd  In¬ 
ternational  Conference  on  Malicious  and  Unwanted  Software,  MALWARE  2008,  pp. 
24  31  (2008) 

13.  Remote  dll  injection  application, 

http : / / WWW . novell . com/ coolsolut ions/ tools/ 17354 . html 

14.  Sigcheck  !.(>, 

http : / / technet . microsof t . com/ en-us/ sysinternals/bb897441 . aspx 

15.  Sun,  11. M..  Tseng.  Y.T.,  Lin.  Y.H..  (diiang,  T..).:  Det(‘cting  the  code  injection  by 
hooking  system  calls  in  wiiulows  kernel  mode.  In:  2000  International  Computer 
Symimsimn,  ICS  200G  (2006) 

10.  Szor.  P.:  The  Art  of  Computer  Virus  Research  and  Defense.  Symantec  Press  <V 
Add ison- Wesley  ( 2005 ) 

17.  Witten,  LIE,  Frank,  E.:  Data  Mining:  Practical  machine  learning  tools  and  t('cli- 
niqnes,  2nd  edn.  Morgan  Kaufinaim,  San  Francisco  (2005) 

18.  Zhu,  Z..  5 egneswaran,  V..  Chen,  Y.:  Using  failnn'  information  analysis  to  detect 
enterprise  zombk^s.  In:  5th  International  ICST  Conference  on  Security  and  Privacy 
in  Communication  Networks,  Secureconim  2009  (2009) 


A  Comparison  of  Feature-Selection  Methods 
for  Intrusion  Detection 


Hai  Tlianli  Nguyen,  Slobodan  Petrovic,  and  Katrin  Franke 


Norwegian  Information  Security  Laboratory 
Gjovik  University  College,  Norway 
(hai .nguyen, Slobodan. petrovic, katrin. franke} Shig.no 


Abstract.  Feature  selection  is  an  important  j^re- processing  step  in  in¬ 
trusion  detection.  Achieving  reduction  of  the  miinber  of  relevant  traffic 
features  without  negative  effect  on  classification  accuracy  is  a  goal  that 
greatly  inij)roves  overall  effectiveness  of  an  intrusion  detection  system. 
A  major  challenge  is  to  choo.se  appropriate  feature- select  ion  methods 
that  can  precisely  determine  the  relevance  of  features  to  the  intrusion 
detection  task  and  the  redundancy  between  features.  Two  new  feature 
selection  measures  suitable  for  the  intrusion  detection  task  have  been 
I)roposed  recently  [11,12]:  the  correlation- feature-select  ion  (CFS)  mea¬ 
sure  and  th(^  iiiiiiinial-redundancy-inaxiinal-relevauce  (iiiFlMR)  measure. 
In  this  paper,  we  validate  these  feature  selection  measures  by  comparing 
them  with  various  previously  known  automatic  feat  lire- select  ion  algo¬ 
rithms  for  intrusion  detection.  The  feature-selection  algorithms  involved 
in  this  comparison  are  the  previously  known  SVM-wrapper,  Markov- 
blanket  and  Cla.ssificalion  Regression  Trees  (CART)  algorithms  as 
well  as  the  recently  projjosed  generic-feature-selection  (GeFS)  iiK'thod 
with  2  instances  applicable  in  intrusion  detection:  the  correlation- feature- 
selection  {CcFScfs)  mid  the  ininimal-redundancy-maxiinal-relevance 
{GeFSinfU! n)  nieasnres.  Experimental  results  obtaineil  over  the  KDD 
CUP'fiy  data  set  show  that  the  generic- feature-selection  {G(  FS)  method 
for  intrusion  doti'ction  outperforms  the  existing  approaches  by  removing 
more  than  30%  of  redundant  features  from  the  original  data  set,  while 
keejiing  or  yielding  an  even  better  cla.s.si heat  ion  accuracy. 

Keywords:  intrusion  (h^tection;  feature  selection;  polynomial  iriixe'd  0— I 
fractional  programming;  mixed  0  1  integer  linear  programming. 


1  Introduction 

The  problem  of  intrusion  deteetion  is  often  analyzed  as  a  jiatteni  recognition 
problem  -  an  Intrusion  Detection  System  (IDS)  has  to  tell  normal  from  abnormal 
behaviour  of  network  traffic  and/or  command  seiinences  on  a  host.  In  addition, 
it  is  of  interest  to  further  classify  abnormal  behaviour  in  order  to  undertake 
adequate  counter-measures.  An  IDS  can  be  modeled  in  various  ways  (see  for  ex¬ 
ample  [9],  (lOj).  A  model  of  this  kind  usually  includes  a  representation  algorithm 

I.  Kotenko  and  V.  Skormin  (Eds.):  MMM-ACNS  2010-  LNCS  6258.  pp.  242  255.  2010. 

0  Springer- Vorlag  Borlin  Heidelberg  2010 


A  Comparison  of  FoatiinvSeloction  Methods  for  Intrusion  I)('t('ction 


24d 


(for  n'prrseiitiiig  iii(‘oiiiing  data  in  the  space  of  selected  features)  and  a  classifi¬ 
cation  algorithm  (for  mapping  the  feature  vector  representation  of  the  incoming 
(lata  to  (dements  of  a  certain  set  of  values,  (\g.  normal  or  abnormal  etc.)  Some 
IDS.  lik('  th(*  ones  prescnited  in  [9],  also  include  the  feature  sek'ction  algorithm, 
which  determines  the  features  to  he  ns('d  by  the  repr('sentation  algorithm.  Even 
if  th('  h'atnre-selcetion  algorithm  is  not  included  in  the  model  dir('ctly,  it  is  al¬ 
ways  jussnmed  that  such  an  algorithm  is  run  before  th('  V(Ty  intrusion  det(Hdion 
process. 

Tlu'  (piality  of  the  h^atnre  selc’Ction  algoritlmi  is  one  of  the  most  important 
factors  that  aftV'Ct  the  effect iv('n('ss  of  an  IDS.  Tlu'  goal  of  the  algorithm  is  to 
(let(‘nniiie  the  most  relevant  feat  ures  of  the  incoming  traffic,  whose  monitoring 
would  ensure  reliable  d(*teeti()n  of  abnormal  behaviour.  Since  the  etfectiveimss 
of  the  chvssi  heat  ion  algorithm  h(\avily  (lep('n(ls  on  the  miiiiber  of  h'atnia's,  it  is 
lUTC'ssary  to  minimize  the  cardinality  of  th('  set  of  selected  feature's,  without 
dropping  i)ot(mtial  indicators  of  abnormal  behaviour.  Obviously,  determining  a 
good  S('t  of  features  is  not  an  easy  task.  The  most  of  the  work  in  practice  is  still 
(lone  manually  and  the  feature  selection  algorithm  dejx'iids  too  much  on  ('xjx'rt 
knowledge.  Automatic  feature  .selection  for  intrusion  detection  is  therefore  im- 
l)()rtaut.  For  antoniatic  h'ature  selection,  the  wrapiXT  and  the  filter  models  from 
machine  k'arning  are  fre(|iiently  applied  [18].  The  wrap^per  model  {iss('ss(\s  the 
selected  k'atures  by  learning  algorithm’s  p('rf()rmance.  Therefore,  the  wrapper 
method  r('(piires  a  lot  of  time  and  computational  r('sonrc('s  to  find  the  best  fea- 
tur('  subsets.  The  filter  model  (oiisiders  statistical  characteristics  of  a  data  s('t 
directly  without  involving  any  learning  algorithm.  Due  to  tlu'  computational  effi- 
cieiiey,  the  filter  method  is  usually  us(xl  to  s('k'ct  features  from  high-dimensional 
(lata  .sets,  such  as  intrusion  detection  systems.  Tlu'  filter  model  enc()mj)ass(^s 
two  groups  of  methods:  tlu'  k'ature  ranking  nu'thods  and  the  f(^atnr('-snbs('t- 
(walnating  methods.  The  feature  ranking  methods  assign  weights  to  feature's 
individually  based  on  their  relevance  to  the  target  concept.  The  featur('-snb.s('t- 
evaluating  methods  estimate  feature  subsets  not  only  by  their  relevanct',  but  also 
by  the  relationships  between  features  that  niak('  certain  k'atnres  redundant.  It 
is  well  known  that  the  redundant  features  can  rt'duce  the  perfornianee  of  a  pat¬ 
tern  (('cognition  .system.  Tlu'refore,  the  featnre-subset-evalnatiiig  methods  are 
more  suitable  for  selecting  features  for  intrusion  detection.  A  major  challenge 
in  the  IDS  feature  .selection  proc('ss  is  to  ('hoose  appropriate  measun's  that  can 
precisely  determiiK'  the  relevanc('  of  features  to  tlu'  intrusion  detection  task  and 
the  relationship  between  featnn's  of  a  given  data  set. 

Since  the  relevance  and  the  relationship  are  usually  eharacteriz('(l  in  t('rms  of 
(’orrelation  or  mutual  information  [4.19],  we  fo('us  on  two  feature  sek'Ction  mea¬ 
surers  for  intrusion  (h'tection  task:  th('  correlat ion-feat nre-selectkni  (CFS)  nu'a- 
snre  [l]  and  the  minimal-redimdancy-maxinial-relevaiue  (inRMR)  ineasuK'  [2|. 
In  [11.12],  a  new  .search  method  that  ensures  gkdially  optimal  fcatnre  sets  by 
iiu’ans  of  the  CFS  and  the  niRMR  measures  was  projiosed.  It  was  shown  that  the 
proposed  s('arch  method  outperforms  the  heuristic  .scare  h  strategie^s  by  removing 
much  more  redundant  feature's  from  the  KDD  CUP  1999  data  .se't  [7]  and  still 


244 


H.T.  Nguyen,  S.  Petrovic,  and  K.  Franke 


keeping  the  elassificatioii  a('cnracies  or  even  getting  better  performances.  In  this 
paper,  the  feature  selection  mei^sures  proposed  in  [11,12]  are  validated  by  (com¬ 
parison  with  various  previously  known  automatic  feature-selection  algorithms 
for  intrusion  detection.  Thus,  the  feature-selection  algorithms  involvc'd  in  the 
comparison  are  the  previously  known  SVM- wrapper  [13],  Markov-blanket  [14] 
and  CART  [14]  and  the  new  generic- feature-selection  (GeFS)  method  with  2  in¬ 
stances  applied  in  intrnsion  detection:  the  correlation-feature-selection 
(GeFScFs)  [11]  and  the  ininimal-redundaiicy-maximal- relevance  (GcFSm/? a//?) 
[12]  measures. 

A  theoretical  basis  for  comparison  of  the  methods  proposed  in  [1\,12]  and 
the  other  methods  is  difficult  to  give.  Such  a  basis  would  require  the  g(Uieral 
solution  of  the  problem  of  comparison  of  filter  and  wrapper  methods,  which  is 
not  known  (sometimes,  the  filter  methods  perform  better,  but  sometimes  the 
wrapper  methods  perform  better).  Because  of  that,  in  this  paper  we  present 
the  results  of  practical  comparison  achieved  on  a  particular  data  set.  Then  the 
generalization  of  the  results  of  the  comparison  depends  to  a  large  extent  on  the 
quality  and  generality  of  the  test  data  set.  We  believe  that  the  data  set  used 
for  this  comparison  with  the  modifications  described  below  is  general  enough  to 
claim  that  our  comparison  results  can  be  generalized  with  high  probability. 

Any  feature  selection  algorithm  selects  relevant  traffic  features  based  on  la- 
belk'd  data  (Fig.l).  In  this  research,  we  used  the  KDD  CUP’99  [7]  data  s(^t  for 
this  purpose,  since  all  the  existing  approaches  involved  in  the  comparison  used 
the  same  data  set  for  evaluation  [13,14].  The  full  feature  set  assigned  to  this  data 
set  consists  of  41  features.  It  is  well  known  [15,16]  that  the  KDD  CUP’99  data 
set  has  several  drawbacks  regarding  its  suitability  for  representation  of  modern 
traffic.  To  avoid  problems  relat(xl  to  this  data  set.  we  split  it  into  4  parts  ac¬ 
cording  to  the  category  of  attack:  DoS,  Prob(\  U2R  and  R2L;  we  consider  only 
two  attack  classes:  DoS  and  Probe.  This  ensures  more  objective  classification, 
since  in  such  a  way  the  influence  of  difference  in  cardinality  of  these  subsets 
ill  the  overall  data  set  is  reduced.  We  compare  the  feature-selection  algorithms 
by  the  number  of  selected  features  as  well  as  by  the  classification  accuracy  of 
machine  learning  algorithms  chosen  as  classifiers  for  intrusion  detection.  Exper¬ 
imental  results  obtained  over  the  KDD  CUP’99  data  set  show  that  the  GcFS 
method  outperforms  the  existing  approaches  by  removing  more  than  30%  of  r('- 
dundant  features  from  the  original  data  set,  while  keeping  or  yielding  an  even 
bett('r  classification  accuracy.  Even  though  the  KDD  CUP’99  data  set  does  not 
reflect  completely  the  characteristics  of  coiitfunporary  traffic,  the  results  of  our 
conii)arison  indicate  that  the  GeFS  method  for  selecting  feature's  would  behave 
well  on  general  intrnsion  detection  data  as  well. 

The  paper  is  organized  as  follows.  In  Section  2,  we  give  an  overview  of  the 
fi'atur  e-select  ion  methods  involved  in  the  comparison.  In  Section  3,  w('  present 
experimental  setting  as  well  as  experimental  results  regarding  the  number  of 
selected  feature's  and  the  classification  accuracy  obtained  over  the  KDD  Cup'99 
data  set.  Section  4  summarizes  onr  findings. 


A  (^oiiipari.soii  of  Foatiiro-Solcrtioii  Methods  for  Intrusion  Detection 


245 


Labelled  data  P 


Fig.  1.  A  feature  selection  algoritliin 


2  Feature-Selection  Methods  for  Intrusion  Detection 

In  this  section,  we  first  describe  the  previously  known  feature-selection  methods 
ns(‘d  in  intrusion  detection.  Tht'ii  we  give  an  ovt'iview  of  tlu'  recinitly  projiosed 
gciK'ric-h'ature-selection  (CeFS)  method  together  with  2  instances  applied  in 
intrusion  detection:  the  correlatioii-featnre-selection  (CrFScrs)  [^1]  ^^nd  tlu* 
miiiiinal-r(,‘fhnidancy-inaxinial-relevance  {G(  FSjf,fiM fi)  [12]  iiiea.sures. 

2.1  Existing  Approaches 

2.1.1  SVM-Wrapper 

Sung  and  Mukkamala  [13]  nstxl  the  ranking  methodology  to  .select  important 
features  for  intrusion  detection:  One  input  feature  is  deleted  from  the  data  at  a 
time  and  the  resultant  data  set  is  then  used  for  the  training  and  testing  of  the 
classifier  Support  Vector  Macliine  (SVM)  [17].  Then  the  SVMs  performance  is 
compared  to  that  of  the  original  SVM  (based  on  all  features)  in  terms  of  ndevant 
performance  criteria,  such  tis  overall  accuracy  of  (‘lassification,  training  time  and 
testing  time.  Tlu'  deleted  featnrt'  will  be  ranked  as  ‘’iinportant’' ,  "secondary''  or 
''insignificant''  according  to  the  following  rules: 

—  If  accuracy  decreases  and  training  time  increases  and  testing  tinu'  (h'creases. 
then  the  feature  is  important. 

—  If  accuracy  decreases  and  training  time  increa.ses  and  testing  time  increa.ses. 
then  thf'  feature  is  important. 

If  accuracy  decreases  and  training  time  decreases  and  testing  time  increast's. 
then  the  feature  is  important. 

—  If  accuracy  is  not  changed  and  training  time  incrc'ases  and  testing  time 
increa.ses.  then  the  feature  is  important. 

If  accuracy  is  not  changed  and  training  time  decreases  and  testing  tinu' 
increases,  then  the  feature  is  secondary. 

If  accuracy  is  not  changed  and  training  time  iiu'reases  and  testing  time' 
decreases,  then  the  feature  is  secondary 


246 


H.T.  Nguyen,  S.  Petrovic,  and  K.  Franke 


—  If  accuracy  is  not  changed  and  training  time  decreases  and  testing  time 
deereascs,  then  the  feature  is  insignificant. 

—  If  accuracy  increases  and  training  time  increases  and  testing  time  decrease's, 
then  the  feature  is  secondary. 

—  If  accuracy  increases  and  training  time  decreases  and  testing  time  increases, 
then  the  feature  is  secondary. 

—  If  accuracy  iiicrea.ses  and  training  time  decrea.ses  and  testing  t  inu'  decreases, 
then  the  feature  is  insignificant 

Ill  [13]  the  experiment  was  conducted  on  a  part  of  KDD  CUP'99  data  set  [7].  This 
data  s('t  contains  normal  traffic  and  four  main  attack  classes:  Denial-of-Servicc 
(DoS)  attacks,  Probe  attacks,  User-to-Root  (U2R)  attacks  and  Remote- to- Local 
(R2L)  attacks.  Some  important  features  were  selected  and  the  obtained  data  set 
after  removing  irrelevant  features  was  classified  by  SVM  [17].  The  results  are 
given  in  Table  1. 


Table  1.  Performance  of  SVM  using  selected  features  (SF)  [13] 


Classes  Niimber-of-SF  Accuracy 


Normal 

25 

99.59% 

DoS 

19 

99.22% 

Probe 

7 

99.38% 

U2R 

8 

99.87% 

R2L 

6 

99.78% 

2.1.2  Markov- Blanket 

Markov  lilanket  MB(T)  of  the  output  variable  T  is  defined  as  the  set  of  input 
variables  such  that  all  other  variables  arc  probabilistically  independent  of  T. 
Knowledge  of  MB(T)  is  sufficient  for  perfectly  estimating  the  distribution  of  T 
and  thus  for  classifying  T.  Markov  blanket  has  been  applied  for  feature  selec¬ 
tion  in  many  domains  [4].  In  2004.  Chebrohi  et.  al.  [14]  proposed  to  use  Markov 
Idaiiket  for  selecting  important  features  for  intrusion  detection.  In  order  to  do 
that,  they  constructed  a  Bayesian  Network  (BN)  from  the  original  data  set.  A 
Bayesian  network  B  =  {N,A,Q)  is  a  Directed  Acycdic  Graph  (DAG)  {N,A) 
where  each  node  ii  G  N  represents  a  domain  variable  (e.g.  a  data  set  attribute 
or  variable),  and  each  arc  a  £  A  between  nodes  represents  a  probabilistic  de¬ 
pendency  among  the  variables.  A  BN  can  be  used  to  compute  the  conditional 
probability  of  one  node,  given  values  assigned  to  the  othc'r  nodes.  From  the  con¬ 
structed  BN,  the  Markov  blanket  of  a  feature  T  is  the  union  of  T’s  parents,  T's 
children  and  eventually  other  parents  of  T\s  children.  An  example  of  a  Bayesian 
Network  is  given  in  k  ig.2.  The  gray-filled  nodes  constitute  the  MB(T): 

For  conducting  the  experiment,  Chebrohi  et.  al.  [14]  randomly  chose  11,982 
instances  from  the  overall  (5  millions  of  instances)  KDD  CUP'99  data  set  [7]. 
17  features  were  selected  and  the  Bayesian  Network  [17]  was  used  for  classifying 


A  C’oniparison  of  Foaturo-Seloction  Mrtliods  for  Iiitnisioii  Doteotion 


247 


Fig.  2.  All  (‘xainple  of  Markov  hlank(‘t 


Tabic  2.  f^M'foriiiaiic('  of  Bayesian  N('twork  using  selected  features  (SF)  [14] 


Classes  Number-of-SF  Accuracy 


Normal 

17 

!)!).()  1% 

DoS 

17 

98.16% 

Probe 

17 

98.57% 

U2R 

17 

()().()0%> 

H2L 

17 

98.93% 

tlu'  obtained  data  set  aftcu*  roiiioviiig  irredevaiit  features.  The  results  are  given 
in  Table  2. 

2.1.3  CART 

The  Classification  and  Regix'ssion  Trees  (CART)  approach  [17]  is  Inised  on  l)inarv 
recursive  partitioning.  The  process  is  binary  because  parent  nodes  are  always 
split  into  exactly  two  child  node's  and  recursive  because  it  is  lepeated  by  treating 
each  child  node  as  a  parent,  'hhe  key  elements  of  CART  methodology  are  a  set  of 
splitting  rules  in  a  tree:  deciding  when  the  tree  is  complete  and  assigning  a  class 
to  each  terminal  node.  Feature  selection  for  intrusion  detection  is  based  on  tlu' 
contributif)!!  of  the  input  variables  to  the  construction  of  the  decision  tree  from 
the  original  data  set.  The  importance  of  features  is  deterinined  by  the  role  of 
each  input  variable  either  as  a  main  splitter  or  as  a  surrogate.  Surrogate  splitters 
are  considered  as  back-up  rules  that  closely  mimic  the  action  of  primary  splitting 
rules.  For  example,  in  the  given  model,  the  algorithm  splits  data  according  to 
the  variable  protocoLtypr  and  if  a  vahu'  for  proiocoLtype  is  not  available  then  the 
algorithm  might  use  the  sennev  feature  as  a  good  surrogate.  Feature  importance, 
for  a  j)articiilar  feature  is  the  sniii  across  all  nodes  in  the  tree  of  the  improvement 
scores  that  the  predictor  has  when  it  acts  <is  a  primary  or  surrogate  splitter.  For 


248 


H.T.  Nguyen,  S.  Petrovic,  and  K.  Franke 


Table  3.  Performance  of  CART  using  selected  features  (SF")  [14] 


Classes  Number-of-SF  Accuracy 


Normal 

12 

100% 

DoS 

12 

85.34% 

Probe 

12 

97.71% 

U2R 

12 

04.00% 

R2L 

12 

95.. 56% 

example,  for  the  node  T  if  the  feature  appears  as  the  primary  splitter  then 
its  importance  could  be  given  as  iimportance-  But  if  the  feature  appears  as  the 
surrogate  instead  of  the  primary  variable,  then  the  importance  becomes 
i  importance  =  (in  X  Umprovcment  iH  wliich  p  is  the  suiTogate  improvernent  weight 
which  is  a  user  controlled  parameter  set  between  0  and  1. 

Chebrohi  et.  al.  [14]  conducted  the  experiment  on  the  data  set,  which  contains 
randomly  chosen  11,982  instances  from  the  overall  (5  niillions  of  instances)  KDD 
CUP’99  data  set  [7].  12  features  were  selected  and  the  CART  [17]  was  used  for 
classifying  the  obtained  data  set  after  removing  irrelevant  features.  The  results 
are  given  in  Table  3. 

2.2  A  New  Generic-Feature-Selection  Measure 

In  this  subsection,  we  give  an  overview  of  the  generic- feature-select  ion  (GcFS) 
method  together  with  2  instances  applied  in  intrusion  detection:  the  {GeFScrs) 
and  the  {GcFSmHMn)  measures. 


2.2.1  Definitions 

Definition  1:  A  generic-featiire-sedection  measure  used  in  the  so-called  filter 
model  is  a  function  GeFS{x).  which  has  tlie  following  form  [12]: 


GeFS{x) 


QQ  +  ELl 

bo  +  X]r=i  Bi{x)xi 


X  =  {ri, . r„)  €  {(),  1}" 


(1) 


In  this  definition,  binary  values  of  the  variable  Xi  indicate  the  appearance  {xi  = 
1)  or  the  absence  {xi  —  0)  of  the  feature  /j;  aq?  constants;  Ai{x),  Bi{x) 

are  linear  functions  of  variables  .ri , . . . ,  Xn- 


Definition  2:  The  feature  selection  problem  is  to  find  x  6  {0,1}"  that  maxi¬ 
mizes  the  function  GcFS{x)  [12]: 


max  GeFS{x) 


«o  + 

bo  +  Er=i  Bi{x)xi 


(2) 


There  are  several  feature  selection  measures,  which  can  be  represented  by  the 
form  (1),  such  as  the  correlation- feature-selection  (CFS)  measure  [1],  the  inininial- 
redundancy-maximal-relevaiice  (mRMR)  measure  [2],  Mahalanobis  distance,  etc. 


A  Comparison  of  Feature-Selection  Methods  for  Intrusion  Detection 


219 


A  major  challenge  in  the  IDS  feature-selection  prot'ess  is  to  choose  appropriate 
measures  that  can  precisely  determine  the  relevance  of  features  to  the  intrusion 
detection  task  and  the  redundancy  between  features.  Since  the  relevance  and 
the  redundancy  are  usually  characterized  in  terms  of  correlation  or  iiiutiial  in¬ 
formation  [4],  the  following  me^isures  for  application  in  intrusion  detection  were 
considered  in  [11,12]:  the  correlation- feature-selection  (CFS)  measure  [1]  and  the 
minimal-reduiidaiicy-maximal-relovaiic('  (iiiRMR)  measure  [2] . 


2.2.2  Correlation  Feature  Selection  Measure 

Th('  Correlation  Feature  Selection  (CFS)  measure  evaluates  subsets  of  features 
on  the  basis  of  the  following  hypothesis:  ''Good  feature  subsets  contain  features 
highly  eonelated  with  the  classification,  yet  uncorrelated  to  each  other''  [1],  Tlio 
following  equation  gives  the  merit  of  a  feature  subset  S  consisting  of  k  features: 


Merit  s{k) 


_ kr^ _ 

\Jk  +  k{k  —  \)vff 


Mere,  is  the  average  value  of  all  feature-classification  correlations,  and  TJJ  is 
the  average  value  of  all  feature- feature  correlations.  The  CFS  criterion  is  dehned 
as  follows: 


y/k  +  2(r/,/2  +  ..  +  Vf^fj  -f  ..  -h  ) 

Sup])ose  that  there  an'  7i  full-set  features.  Binary  values  of  the  variable  ./•,  are 
u.sed  to  indicate  the  appc'arance  (x,  =  1)  or  the  absence  (.Tt  =  0)  of  the  feature 
/j  in  the  globally  o])tinial  feature  set  [11].  Tlu'reforc',  the  probh'in  (3)  can  be 
rewritten  as  an  optimization  problem  as  follows: 


max  [ 


(E'Li 


(1) 


It  is  obvious  that  the  CFS  measure  is  an  instance  of  the  GeFS  measure.  In  [12]. 
this  measure  was  denoted  by  GcFScfs- 


2.2.3  The  niRMR  Feature  Selection  Measure 

111  2005.  Feng  et.  al.  [2]  proposed  a  feature-selection  method,  which  is  based  on 
mutual  information.  In  t  his  method,  the  relevance  of  features  and  the  redundancy 
between  features  are  considered  simultaneously.  In  terms  of  mutual  information, 
the  relevance  of  a  feature  .s('t  S  for  the  class  c  is  defined  by  the  mean  value  of 
all  mutual  information  values  between  the  individual  feature  /,  and  the  class  r 
as  follows: 


The  redundancy  between  features  in  the  set  S  is  the  iiK'aii  value  of  all  mutual 
information  values  between  the  feature  fj  and  the  feature  fj: 


250  H.T.  Nguyen,  S.  Pctrovic,  and  K.  Franke 


The  inRMR  criterion  Ls  a  combination  of  two  measures  given  above  and  is  defined 
as  follows: 


'  '  Ae5  I  '  hJjes 

By  using  binary  values  of  the  variable  Xi  as  in  the  case  of  the  CFS  iiu'asure 

to  indicate  the  appearance  or  the  absence  of  the  feature  and  by  denoting 

the  mutual  information  values  and  /(/n/j)  by  constants  Cj  and  aij, 

respectively,  the  problem  (5)  can  he  described  as  an  optimization  problem  as 
follows: 


max  f 
xe{o,i}” 


En 

En 

i=l 


V"- 


I  QijXiXj 


(C) 


It  is  also  obvious  that  the  inRMR  measure  is  an  instance  of  the  GeFS  measure. 
In  [12],  this  measure  was  denoted  by  GcFSmRMR’ 

Both  the  GeFScFS  <^nd  the  GeFSmRMR  feature-selection  problems  are 
solved  by  means  of  the  technique  that  involves  the  Polynomial  Mixed  0-1  Frac¬ 
tional  Programming  (PA/OIFP).  The  details  are  given  below. 


2.2.4  Polynomial  Mixed  0-1  Fractional  Programming 
A  general  polynomial  mixed  0—1  fractional  programming  (PA/OIPP)  prob¬ 
lem  [5]  is  n'presented  as  follows: 


min 


rn  ^ 

~i-  Z^j-i 

2^\bi  +  , 

1=1  *  ‘ 


rifce  J 


(7) 


such  that  < 


'  T  Ej-=i  K  >  0,2  =  l,..,7n, 

-b  Ej=i  YlheJ  <  0’  P  =  ^ 

:r,.  €{0,1},  A:  gJ, 

^  O  j .  hi ,  Cp,  Uij ,  bij ,  Cpj  G  3^. 


By  replacing  the  denominators  in  (7)  by  positive  variables  2/1(2  =  I,..,???),  the 
PA/01  PP  then  leads  to  the  following  cquivahnit  polynomial  mixed  0  —  1  pro¬ 
gramming  problem: 


m  n 

min  ^  (^my,  +  ^  ^  XkVi^  (8) 

i=\  i=i  keJ 

^iUi  +  ^2j=l  Ylk^J  —  1'2/i  ^  0, 

('p  +  Ej=i  ‘‘pj  rifceJ  <ilp=  1. 

Xk  e  {0,1},/.:  €  J, 

^  bi-i  (I  Ij  ^  bij  ^  Cpj  €  3?. 


Slick  that  < 


(9) 


A  (’omparisoii  of  Foatiire-Selectiojj  Methods  for  hitnisioii  Detection 


251 


In  order  to  solve  this  problem,  Chang  [5]  proposed  a  linearization  technique  to 
transfer  the  terins  flji-G  J  ^  mixed  0  —  1  linear  inetpialities.  Based 

oil  this  technique,  the  /^\/01FP  becomes  then  a  mixed  0  1  linear  programming 


(i\/01LP).  which  can  be  solved  by  means  of  the  branch-and-boimd  imdliod  to 
obtain  the  globally  optimal  solution. 

Proposition  1:  A  i)olviK)inial  mixed  0—1  term  nA;€./ from  (8)  (*an  be 
reprcsent(‘d  by  the  following  program  [5],  where  M  is  a  large*  positive  value: 


nun  Zi 


(10) 


Proposition  2:  A  polynomial  mixed  0—  I  term  fUeJ  from  (9)  (’an  be  rei)n*- 
seiited  by  a  continuous  variable  i\.  subjc'ct  to  the  following  liii(‘ar  in(H|naliti(*s  [5], 
when*  M  is  a  large  positive  value: 


The  ft'atiire  s(*leetion  problem  (2)  is  formulated  as  a  polynomial  mixed  0  -  1 
fractional  programming  (P;\/01f’P)  problem  as  follows: 

Proposition  3:  The  feature  seU'ction  problem  (2)  is  a  polynomial  niixenl  0  —  1 
fractional  programming  (PMOIFP)  problem. 

Remark:  By  applying  Chang’s  method  [5].  this  PA/OIPP  problem  can  be  trans¬ 
formed  into  an  A/OIL/^  problem.  The  number  of  variable's  and  constraints  is 
quadratic  in  the  iininlaT  n  of  full  set  features.  This  is  bt'cansc*  the  number  of 
terins  Xi.Vj  in  (2),  which  are  replaced  by  the  new  variables,  is  n(;i  +  l)/2-  The 
braiH’h-and-bonnd  algorithm  can  then  be  used  to  solve  this  MQILP  problem. 
But  the  effieiency  of  the  method  depends  strongly  on  the  nuinlx'r  of  variables 
and  constraints.  The  larger  the  number  of  variable's  and  constraints  an  M{)\LP 
[iroblem  Inus,  the  more  (‘omplic'ated  the  branch-and-bound  algorithm  is. 

In  [11,12],  an  improvement  of  the  Chang’s  method  was  proposed  in  order  to 
get  an  Mi)\LP  problem  in  which  the  number  of  variables  and  ('oiistraints  is  linear 
in  the  number  n  of  full  s('t  features.  Details  of  the  improvement  are  given  Ix'low: 

2.2.5  Optimization  of  tlie  GeFS  Measure 

By  introducing  an  additional  positive  variable,  denoted  by  y.  the  following  prob¬ 
lem  ('qnivaleiit  to  (2)  is  considered: 


n 


XG{0,1} 


min  (— (7cF5(,r))  =  — uoty  —  /  A|(,r),r,/y 


(12) 


(13) 


252  H.T.  Nguyon,  S.  Petrovic,  and  K.  Franke 


This  problem  is  transfonneil  into  a  mixed  0-1  liiiearning  programming  problem 
as  follows: 

Proposition  4:  A  term  Ai{x)xiy  from  (12)  can  be  represented  by  the  following 
program,  where  M  is  a  large  positive  value  [12]: 


mm  Zi 


(14) 


Proposition  5:  A  term  Di{x)xiy  from  (13)  can  be  represented  by  a  continuous 
variable  Vi,  subject  to  the  following  linear  inequality  constraints,  where  M  is  a 
large  positive  value  [12]: 


Vi  >  M{xi  —  1)  +  Bi{x)y, 
Vi  <  M{\  -  Xi)  +  Ai{x)y, 

0  <  Vz  <  Mxi 


(15) 


Each  term  Xzy  in  (14),  (15)  is  substituted  by  new^  variable  ti  satisfying  constraints 
from  Proposition  2.  Then  the  total  number  of  variables  for  the  M 01 LP  problem 
will  be  477  -1-  1,  as  they  are  Tj,  y,  fj,  Zi  and  Vi{i  =  l,n).  Therefore,  the  number  of 
constraints  on  these  variables  will  also  be  a  linear  function  of  ii.  As  W('  mentioned 
above,  with  Chang’s  method  [5]  the  number  of  variables  and  constraints  depends 
on  the  square  of  n.  Thus  the  method  [11,12]  actually  improves  Chang's  method 
by  reducing  the  complexity  of  the  branch  and  bound  algorithm. 

3  Experimental  Results 

3.1  Experimental  Setting 

For  comparison  of  the  generic-feature-selection  {GeFS)  measure  for  intrusion 
detection  [11,12]  with  the  previously  known  ones  [13,14],  w^e  implemented  the 
GcFScfs  ^iid  the  GcFS„iRmr  algorithms.  The  goal  was  to  find  globally  op¬ 
timal  feature  subsets  by  means  of  these  two  measures.  Since  different  intrusion 
det(Ttion  systems  used  different  feature-selection  methods  and  different  classi¬ 
fiers  with  the  aim  of  achieving  the  best  classification  results,  w^e  compared  gen¬ 
eral  performance  of  intrusion  detection  systems  in  terms  of  nuiiibers  of  selected 
features  and  the  classification  accuracies  of  the  machine  learning  algorithms 
giving  the  best  classification  results.  For  our  experiment,  we  used  the  decision 
tree  algorithm  C4.5  [8]  as  classifier  for  the  full-set  data  as  well  as  for  the  data 
sets  obtained  by  removing  irrelevant  features  by  means  of  the  GvFScfs  ^»d 
GvFSjnRMR  measures. 

We  performed  our  experiment  using  10%  of  the  overall  (5  millions  of  in¬ 
stances)  KDD  Cup' 99  data  set  [7],  since  all  the  existing  approaches  involved  in 
the  comparison  used  the  same  data  set  for  evaluation  [13,14].  This  data  set  con¬ 
tains  normal  traffic  (Normal)  and  four  attack  classes:  Denial-of-Service  (DoS), 


A  Comparison  of  Feature- Select  ion  Methods  fcjr  Intrusion  Detection 


253 


Table  4.  The  partition  of  KDD  CUP’99  data  set  used  in  the  experiment 
Classes  Number-of-instances  Percentage 


Normal  97.278  18.35% 

DoS  391.458  73.88% 

Probe _ 41.113  7.77% 

Total  529.849  100% 


Probe,  User-to-Root  (U2H,)  and  Reinote-to- Local  (R2L)  attacks.  As  the  two  at¬ 
tack  cla,ss('s  U2R  and  R2L  have  been  criticized  [15,16],  we  did  not  consider  them 
for  our  experiment.  Details  of  numbers  of  cbiss  instances  are  given  in  Table  4. 

As  the  attack  cla.sses  distribute  so  differently,  the  h'atnre  selection  algorithm 
might  concentrate  only  on  the  most  frequent  class  data  and  neglect  the  others. 
Therefore',  we  chose  to  process  tlu'se  attack  classes  separately.  In  order  to  do  that, 
we  added  normal  traffic  into  <'ach  attack  class  to  get  two  data  sets:  Nornial&DoS 
and  Xormali,:Prob('.  With  each  data  set,  we  ran  two  feature-se'lection  algorithms: 
the  CcFScfs  ^^nd  the  CcFSmnM r-  TIk'  mmilx'r  of  selected  features  is  given 
in  Fig. 3.  We  then  applied  the  C4.5  machine  learning  algorithm  on  each  original 
full-set  as  well  as  ('ach  newly  obtained  data  set  that  includes  only  those  select(‘d 
features  from  the  feature-selection  algorithms.  We  applied  5-fold  cross-validation 
on  each  data  set.  The  cUissification  accuracies  are  given  in  Fig. 4. 

4  he  GcFScrs  <tnd  the  CcFSjnRM r  feature-s('lection  methods  were  ('ompared 
with  the  existing  ones  (the  SVM-wrapper,  the  Markov-Blanket  and  the  CART) 
regarding  the  number  of  selected  features  and  regarding  the  cUissification  accu¬ 
racies  of  machine  learning  algorithms  chosen  as  cla.ssift('rs  for  intrusion  detection 
process.  Weka  tool  [3]  that  inii)lenients  the  machine  learning  algorithms  (04.5, 
SV"M  and  BayesNet)  was  n.sed  for  obtaining  the  results.  In  order  to  solve  the 
MOILP  problem,  we  used  TOMLAB  tool  [Gj.  All  the  obtained  results  are  shown 
in  Fig. 3  and  Fig. 4. 


■  Kull  sn(1) 

■  SVM-wr.ippcr(2) 

■  (k*I  S  mKMR(3) 
Markov '  Blanket  (4) 

■CART(5) 

■  a-FS_CFS(6) 


Fig.  3.  Nnml)er  of  selected  features  (on  average) 


254 


H.T.  Nguyen,  S.  Potrovic,  and  K.  Franko 


■  SVM  (2} 

•  C4  5  O  ) 

■  BiyitfsNtfl  (4| 
PCART  (S) 
«C4  5  {6} 


Fig.  4.  Classification  accuracies  (on  average) 


3.2  Experimental  Results 

Fig. 3  shows  the  average  iminber  of  features  selected  by  the  GeFS  feature- 
selection  method  and  those  selected  by  existing  approaches.  Fig. 4  summarizes 
the  average  classification  accuracies  of  chosen  machine  learning  algorithius  as 
classifiers  for  intrusion  detection  process.  It  can  be  observed  from  Fig. 3  that  the 
GeFSch  S  feature-selection  method  selects  the  smallest  number  of  relevant  fea¬ 
tures.  Fig. 4  shows  that  with  the  approach  from  [11,12]  the  average  classification 
accuracies  are  approximately  the  same  or  even  better  than  those  achiev('d  by 
ap])Iying  other  methods. 

4  Conclusions 

In  this  paper,  we  compared,  regarding  the  number  of  .selected  features  and  the 
(dassification  accuracy,  .some  previously  known  feature  selection  methods  appli¬ 
cable  for  intrusion  detection  purposes  with  the  feature  selection  methods  for 
intrusion  detection  proposed  in  [11,12].  The  i)reviously  known  feature-selection 
algorithms  involved  in  this*  comparison  were  the  SVM- wrapper.  Markov-blanket 
and  CART  algorithms.  The  feature  selection  algorithms  proj)osed  in  [11,12]  in¬ 
cluded  in  this  comparison  are  instances  of  a  generic- feature-select  ion  (GcFS) 
method  for  intrusion  detcK'tion:  the  correlation-featnre-selection  (GeFScFs) 
the  ininhnal-redundancy-inaximal-relevance  {Gc.FSmRM r)-  Experimental  results 
obtained  over  the  KDD  CUP’99  data  set  show  that  the  GeFS  method  outper¬ 
forms  the  previously  known  aj)proaches  by  removing  more  than  30%  of  redun¬ 
dant  features  from  the  original  data  set,  while  kce])ing  or  yielding  an  even  better 
classification  accuracy,  hi  spite  of  all  the  known  limitations  of  the  KDD  CUP  99 
data  set  u.sed  for  ('oniparison  and  the  difficulties  in  establishing  a  more  general 
theoretical  basis  for  the  comparison,  there  is  a  high  probability  that  comparison 
results  similar  to  ours  could  he  obtained  on  other  data  sets  as  well. 


A  (’oiiiparison  of  Fcatiirc'-Selection  Methods  for  Intrusion  Detection 


255 


References 

1.  Ilall,  M.:  Correlation  Based  Feature  Selection  for  Machine  Learning.  In:  Doctoral 
dissertation.  Department  of  Computer  Science,  University  of  Waikato  (1999) 

2.  Peng.  II.,  Long,  F.,  Ding.  C.:  Feature  Selection  Bas«I  on  Mutual  Information: 
Criteria  of  Max-Dependency,  Max- Relevance,  and  Min-Redundancy.  IEF2E  Tran.s- 
actions  on  Pattern  Analysis  and  Machine  Intelligence  27,  1226  1238  (2(K)5) 

3.  Weka,  the  Data  Mining  Software  in  Java,  http :  //www.  cs .  waikato .  ac .nz/ml/weka/ 
J.  Gnyon,  1.,  Cunn,  S.,  Nikravesh,  M.,  Zad(Ji,  L.A.:  Feature*  F]xtraction:  Foundations 

and  Applications.  -Studies  in  lMizzine.s.s  and  Soft  Computing.  Springer,  Heidelberg 
(2()0()) 

5.  C’hang,  (M\:  On  the  Polynomial  Mix(*d  0-1  Fractional  Programming  Problems. 
fmrop(*an  Journal  of  Operat  ional  Rese'arch  131,  224  227  (2001) 

6.  TOM  LAB,  The  Optimization  Enviromnent  in  MATLAB,  http://tomopt.com/ 

7.  KDD  Cup  1999  DataSet  (1999), 

http : //www. sigkdd . org/kddeup/ index . php?section=1999&method*data 

8.  Quinlan,  J.R.:  C4.5:  Programs  for  Machine  Learning.  Morgan  Kaufmann,  San  FTan- 
cisco  (1993) 

9.  Gii,  G.,  F^ogla,  P.,  Dagon,  D..  Lee,  W.,  Skoric,  B.:  Towards  an  Information- 
Theoretic  Framework  for  Analyzing  Intrusion  Detection  Systems.  In:  Gollmann, 
D.,  Meier,  J.,  Sabelfold,  A.  (eds.)  ESOUK^S  2006.  LN(\S,  vol.  4189,  pp.  527  546. 
Springer,  Heidelberg  (2006) 

10.  Crescenzo,  G.D.,  Ghosh,  A.,  Talpade,  R.:  Towards  a  Theory  of  Intru.sion  Detec¬ 
tion.  In:  Capitaiii,  S.,  Syverson,  P.,  Golhnaim,  D.  (eds.)  F^SORICS  2005.  LNCS, 
vol.  3679,  pp.  267  286.  Springer,  Heid(dberg  (2005) 

11.  Nguyen,  11.,  FVanke.  K.,  Petrovic.  S.:  Improving  Effective* ness  of  Intrusion  Detec¬ 
tion  by  Correlation  Feature  Selection.  In:  International  Conference  on  Availability, 
Reliability  and  Security  (ARF2S),  pp.  17  24.  IEEE  Press,  New  York  (2010) 

12.  Nguyen,  H.,  Franke,  K.,  Petrovic,  S.:  Optimizing  a  Class  of  Feature  Selection  Mea¬ 
sures.  In:  NIPS  2009  Workshop  on  Discrete  Optimization  in  Machine  Learning: 
Snbmodularity,  Sparsity  Sc  Polyhedra  (DISCML),  V'^ancoiiver,  Canada  (2009) 

13.  Sung,  A.H.,  Mnkkainala,  S.:  Identifying  Important  Features  for  Intrusion  Detection 
Using  Support  Vector  Machines  and  Neural  Networks.  In:  International  Symposium 
on  Applications  and  the  Internet  (SAINT),  pp.  209  217.  IEEE  Pre.ss,  Los  Alamitos 
(2003) 

14  Chebrohi,  S.,  Abraham,  A.,  JJiomas,  ,1.:  Feature  Deduction  and  F]nseuible  Design 
of  Intrusion  Detection  Systems.  Computers  Sc  Security  4,  295-307  (2005) 

15.  McHugh.  J.:  Testing  Intrusion  Detection  Systems:  A  Critique  of  the  1998  and 
1999  DARPA  Intrusion  Detection  Sy.stem  Evaluations  as  Performed  by  Lincoln 
Laboratory.  ACM  TISSEC  3,  262  294  (2000) 

16  Sabhnani,  M.,  Serpen.  G.:  Why  Machine  Learning  Algorithms  Fail  in  Misuse  De*- 
tection  oil  KDD  Intrusion  Dete(  tion  Data  Set.  Intelligent  Data  Analysis  8,  403  415 
(2004) 

17.  Duda,  R.O.,  Hart,  P.E.,  Stfirk,  D.G.:  Pattern  Chussification.  John  WileyV  Sons. 
New  York  (2001) 

18.  Chen,  Y.,  Li,  Y.,  Cheng,  X.Q.,  Guo,  L.:  Survey  and  Taxonomy  of  Feature  Selection 
Algorithms  in  Intrusion  Detection  System.  In:  Lipmaa,  IL,  Yung,  M.,  Lin,  D.  (eds.) 
Inscrypt  2006.  LNCS,  vol.  1318,  pp.  153  167.  Springer,  Heidelberg  (2006) 

19  Liu,  H.,  Motoda,  H.:  Computational  Methods  of  Feature  Selection.  Chapman  V 
Hall/CRC,  Boca  Raton  (2008) 


From  NLP  (Natural  Language  Processing) 
to  MLP  (Machine  Language  Processing) 


Peter  Teufl^,  Udo  Payer^,  and  GiUMiter  Laekner^ 

^  Institute  for  Applied  Information  Processing  and  Communications  (I AIK) 
Graz  University  of  Technology 
peter . teuf ISiaik . tugraz . at 
^  CAMPUS02,  Graz  University  of  Applied  Science 
udo . payerQcampus02 . at 
^  Studio78,  Graz 
guenther . lacknerQstudio78 . at 


Abstract.  Natural  Language  Processing  (NLP)  in  combination  with 
Machine  Learning  techniques  plays  an  important  role  in  the  field  of  au¬ 
tomatic  text  analysis.  Motivated  by  the  successful  use  of  NLP  in  solving 
text  classification  problems  in  the  area  of  e-Participation  and  inspired 
by  our  prior  work  in  the  field  of  polymorphic  shellcode  detection  we  gave 
classical  NLP-proces.ses  a  trial  in  the  special  case  of  malicious  code  anal¬ 
ysis.  Any  malicious  program  is  based  on  some  kind  of  machine  language, 
ranging  from  manually  crafted  as.sembler  code  that  exploits  a  buffer  over¬ 
flow  to  high  level  languages  such  as  Javascript  used  in  wel)- based  attacks. 
We  argue  that  w^ell  knowai  NLP  analysis  processes  can  be  iiu^dific'd  and 
applied  to  the  malware  analysis  domain.  Similar  to  tin'  NLP  process  we 
call  this  process  Machine  Language  Processing  (MLP).  In  this  paper,  we 
use  our  (v Participation  analysis  architecture,  extract  the  various  NLP 
techniques  and  adopt  them  for  the  malware  analysis  process.  As  proof- 
of-concept  we  apply  the  adopted  framework  to  inalicions  code  examples 
from  Metasploit. 

Keywords:  Natural  Language  Processing,  Malw^are  Analysis,  Semantic 
Networks,  Machine  Language  Processing,  Machine  Learning.  Knowledge 
Mining. 


1  Introduction 

Natural  Language  Processing  (NLP)  involves  a  wide  range  of  teehniqiK's  that 
enable  the  automated  parsing  and  processing  of  natural  language.  In  the  ease 
of  written  text,  this  autoinat(Hl  processing  ranges  from  the  Lexical  j3arsing  of 
sentences  to  applying  sophisticated  methods  from  machine  learning  and  artificial 
intelligence  in  order  to  gain  insight  on  the  covered  topics.  Although  NLP  is  a 
complex  and  computationally  intensive  task,  it  gains  more  and  more  importance 
due  to  the  need  to  automatically  analyze  large  amounts  of  information  stored 
within  arbitrary  text  sourees  on  the  Internet.  For  such  large  text  corpora  it  is 


I.  Kotenko  and  V.  Skormin  (Eds.):  MMM-ACNS  2010,  LNCS  6258,  pp.  256  260,  2010. 
©  Springer- Vrrlag  Berlin  Heidelberg  2010 


From  NLP  to  MLI 


257 


not  feasible  for  luniiaii  experts  to  read,  to  liiulerstaiid  and  to  draw  eonclnsions 
in  a  (oinplete  inaniial  way. 

An  example  for  such  a  domain  is  the  electronic  participation  (further  denoted 
as  e-Particii^ation)  of  citizens  within  a  governmental  decision  proc  ess.  Typically, 
this  process  involves  citizens  that  c'xpress  their  opinion  on  certain  topics  and 
domain  expc'i  ts  that  analyze  tlu'se  opinions  and  extract  important  concepts  and 
ide<is.  In  carder  to  specnl  iij:)  the  j^rocess  and  iinj^rov^o  the  results  it  makes  sense 
to  apply  NLP  technique's  that  support  the  domain  experts.  Therefore,  we  have 
imijlementc'd  and  emi^loyed  an  e- Participation  analysis  framework  [1]. 

Due  to  previous  work  in  the  field  of  malicious  code  detc'ction  especially  in  the 
jield  of  polyniorjyhic  shellrode  detection  [2],  [3]  we  realized  that  thc‘  analysis 
of  natural  languages  is  somewhat  similar  to  the  analysis  of  machine  langiiages. 
Malware,  regardk'ss  cT  its  nature,  is  always  ba.sed  on  .some  kind  c^f  programming 
language  \isc*d  to  encode  the  commands  that  an  attacker  wants  to  execute  on 
a  victim's  machine.  This  can  be  raw  ^us.sembler  code  or  a  high  levcd  .scripting 
language  .such  as  .Javascript.  The  jnocc'ss  of  detc'cting  malware  is  to  identify 
malicious  code  within  large  amounts  of  regular  code.  There  are  a  wide  range 
of  malware  detec  tion  methods  ranging  from  simple  signatcire  detection  methods 
to  highly  sophisticated  methods  based  on  machiiu‘  learning.  However,  before 
s\ich  methods  can  be  dej^loyed  for  malware  detecticiii  we  need  to  analyze  and 
nnderstaiid  the  underlying  code  itself.  Due*  to  self  mutating  code,  encryption, 
iiK'tamorphic  and  polyuiorphic  engines,  and  other  nu'thods  designed  to  camou¬ 
flage  the  malware  itself,  it  is  not  po.ssible  to  create  simi^le  signatures  anymore. 
Therefore,  w-e  need  to  extrac  t  other  more  c-oinplc'x  relations  within  the  machine' 
language  that  allow  ns  to  devise  more  robust  detection  methods. 

In  this  paper,  we  argue  that  the  same  NLP  procc'sses  and  technicines  nsc'cl 
for  the  analysis  of  natural  language  can  be  mappc'd  and  applic'cl  to  machine 
language.  Analog  to  the  NLP  proc  ess  w'c  introduce  the  concept  of  Machine  Lan¬ 
guage  Proces.sing  (MLP).  In  order  to  find  rc'levant  MLP  procc'ssc's,  wc'  c'xtract 
the  various  analysis  steps  of  c^iir  e-Participation  analysis  framework  and  define 
corresponding  MLP  steps.  In  ordc'i*  to  test  the  implementability  of  this  approach 
w'c*  finally  apply  the  modified  framew'ork  to  real  assemblc'i*  c*ocle  extracted  from 
various  dc'cocling  engines  generatc'd  by  the  Metjusploit  framework. 

Although  the  proof-of-concept  and  the  NLP-to-MLP  transformations  focus  on 
cas.s('mblc'r  ccxle,  the  discaissecl  tc'chniques  could  easily  be  extended  to  arbitrary 
machine  languages. 

2  Related  Work 

Malware  is  definc'd  as  some  piece  of  software  with  the  only  intc'iition  to  perform 
some  harmful  actions  on  a  device,  whic:h  is  alrc'ady  under  c'oiitrol  or  is  intendc'd 
to  be  under  control  of  an  attacker.  Malware  analysis  on  the  contrary  is  the 
process  of  re-engineering  thc'se  pieces  of  .software  or  to  analyze  the  behavior  for 
the  only  purpose  to  identify  or  demonstrate  the  harmfnlness  of  thc'se  piece's  of 
software  (such  as  a  vir\is,  worm,  or  Trojan  horsc's).  Actually,  inahvare  analysis 
can  be  divided  into 


258 


P.  Teiifl,  U.  Payer,  and  G.  Lackncr 


—  behavior  analysis  {dynamic  analysis)  and 

—  code  analysis  {static  analysis) 

Since  no  generic  tool  exists  to  perforin  this  analysis  antoniatieally,  the  process  of 
malware  analysis  is  a  inaiinal  one,  which  can  fortunately  fall  back  on  a  rich  set  of 
efficient  but  simple  tools.  A  tricky  part  in  malware  analysis  is  to  detect  pieces  of 
code,  which  are  only  triggered  under  some  specific  conditions  (day,  time,  etc.  ...). 
In  such  eases,  it  is  essential  to  disassemble  the  whole  executable  and  to  analyze 
all  possible  execution  pat  lies.  Finding  and  watching  suc’h  execution  pathes  (e.g. 
by  the  help  of  a  disassembler)  is  forming  the  core  meehaiiisin  of  a  sophisticated 
code  analysis  process. 

As  ’’dyiiamie”  approach  to  detect  execution  chains  within  a  piece  of  software 
is  to  execute  and  analyze  its  behavior  in  a  restricted  eiivironment.  Such  an  en- 
viroiiment  can  be  a  debugger,  which  is  controlled  by  a  human  analyst,  to  step 
through  each  single  line  of  code  to  see  the  code-execution  happening  and  to  un¬ 
derstand  the  ’’meaning’*  of  the  code.  Examples  of  such  ’’sandbox”-  techniques 
are  CWSandbox  [4],  the  Norman  SandBox  [5],  TTAnalyze  and  Cobra  [6].  Com¬ 
mon  to  all  these  examples  is  that  code  is  automatically  loaded  and  analyzed 
in  a  virtual  machine  environment  to  find  out  the  basic  behavior  and  execution 
pathes.  A  special  dynamic  sandbox-method  is  the  so  called  black  box  analysis. 
In  this  Ccisc,  the  system  is  studied  without  any  knowledge  about  its  internal  con¬ 
struction.  Observable  during  the  analysis  are  only  external  in-  and  outputs  as 
well  as  their  timing  relationshi{)s.  After  a  successful  simulation,  a  post  mortem 
analysis  will  show  effects  of  the  malware  execution.  This  post  mortem  analysis 
can  be  done  by  standard  computer  forensic  tool  chains. 

In  the  ease  of  malicious  code  analysis,  the  connnon  idea  is  to  mse  analysis 
archtitectures  to  make  use  of  the  huge  number  of  useful  tools  in  a  controlled 
way.  BitBlaze  [7]  for  instance  even  tries  to  combine  static-  and  dynamic  analysis 
tools.  The  BitBlaze  framework  actually  consists  of  three  components:  Vine,  the 
static  analysis  tool,  TEMU,  the  dynamic  analysis  eoinponent,  and  Rudder,  a 
separate  tool  to  eombiiie  dynamic  and  static  analysis  results. 

NLP  is  a  huge  field  in  computer  science  about  language-  based  interactions 
between  computers  and  humans.  It  can  b^isically  be  divided  in  the  following  two 
major  areas: 

—  Natural  language  generation  systems  (LGS),  which  convert  information  from 
coniputer  datab^ises  into  readable  human  language  and 

—  Natural  language  understanding  systems  (LUS),  which  are  designed  to  con¬ 
vert  samples  of  human  language  into  a  formal  representation.  Such  a  repre¬ 
sentation  can  be  used  to  find  out  what  concepts  a  word  or  phrase  stands  for 
and  how  these  concepts  fit  together  in  a  meaningful  way. 

Related  to  the  content  of  this  paper,  we  always  think  about  NLP  as  an  applica¬ 
tion  that  can  deal  with  text  in  the  sense  of  chussification,  automatic  translations, 
knowledge  acquisition  or  the  extraction  of  useful  information.  In  this  paper,  we 
will  not  link  NLP  to  the  generation  of  natural  languages.  Especially  in  the  case 
of  LUS,  a  lot  of  prior  work  exists,  which  was  carried  out  by  many  different  re¬ 
search  groups  (e.g.  [8], [9]).  Machine  learning  techniques  have  been  applied  to 


From  NLP  to  MLP  2r,\) 

th(*  natural  language  problem,  statistieal  analysis  has  been  performed  and  large 
t('xt  (‘orpora  have  been  generated  and  have  been  used  siiecessfiilly  in  the  field  of 
NLP,  Thus,  several  projeets  about  innovative  ways  to  I'un  and  improve  NLP’ 
methods  have  already  Ix'en  finished  or  are  still  ongoing  -  and  we  are  quite  sure 
that  then’  will  be  many  more. 

3  Methods 

3.1  NLP 

All  NLP  eomponentvS  of  the  platform  are  based  on  th(’  lingpipe  NLP  API  [10],  It 
is  a  Java  API  that  covers  a  wi(l(’  range  of  algorithms  and  teelmi(ines  important 
for  NLP:  Exainph's  are  Part-of- Speech  (POS)  tagging,  the  detection  of  sentenees, 
spelling  correction,  handling  of  text  corpora,  language  idcaitification,  word  scnise 
disambiguation  (e,g,  [11]),  etc.  The  tc’clmiqnes  that  are  relevant  for  our  text- 
analysis  architecture  will  b<’  shortly  discussed  in  the  snbsecpient  sections.  F'or  a 
good  overview^  of  all  these  techniques  we  refer  to  the  tutorials  that  come  with 
the  lingpipe  pacbigeL 

3.2  Semantic/ Associative  Networks  and  Spreading  Activation  (SA) 

A.ssociative  networks  [12]  are  directed  or  undirected  graphs  that  store  informa¬ 
tion  in  th(’  network  nodes  and  use  edges  (links)  to  i)resent  the  relation  betwec'u 
tlu'se  nodes.  Typically,  these  links  are  weighted  according  to  a  weighting  scheme. 
Spreading  activation  (SA)  algorithms  [13]  can  be  used  to  extract  information 
from  associative  networks.  Associative  networks  and  SA  algorithms  play  an  im¬ 
portant  role  within  Information  Retrieval  (TH)  systems  such  as  [14],  [15]  and 
[1 1],  By  applying  SA  algorithms  we  are  able  to  extract  Activation  Patteiiis  from 
trained  associative  networks.  These  Activation  Patterns  can  then  be  analyzed 
by  arbitrary  sni)ervised  and  imsupervised  machine  learning  algorithms, 

3.3  Machine  Learning  (ML) 

For  the  .superviscnl  or  urisupcr vised  analysis  of  the  a(  tivation  pattct'ns  the 
patterns  geiu’rated  by  applying  SA  to  the  semantic/associative  network  stan¬ 
dard  machine  learning  algorithms  can  be  applied.  Example’s  for  supervised  algo¬ 
rithms  are  tlu’  widely  used  Support  Vector  Machiiu’s  (SVM),  Neural  Networks 
and  Bayesian  Networks,  The  family  of  imsnpervi.sed  algorithms  has  an  impor¬ 
tant  role,  since  such  te(’hnkpies  allow  ns  to  extract  relations  between  featun’S. 
to  detect  anomalies  and  to  find  similarities  between  patterns  without  having  an 
a-priori  knowledge  about  the  analyzed  data.  Examples  for  such  algorithms  are 
Neural  Cas  based  algorithms  [16],  Self  Organizing  Maps  (SOM),  llierachical  Ag- 
glonierative  Clustering  (HAC),  or  Expectation  Maximation  (EM).  In  this  work 
we  employ  tlu’  Robust  Growing  Neural  Gas  algorithm  (RGNG)  [16]. 


iittp://aIias-i,coui/lingpipe/denios/tiitorial/rea(l-nie,htinl 


260  P.  Teufl,  U.  Payer,  and  G.  Lackner 


4  From  NLP  to  MLP 

Ill  [1]  we  present  an  automated  text-anaiysis  architecture  that  is  used  for  th(' 
analysis  of  various  e-Participation  related  data-sets.  The  basic  modules  of  this 
architect  lire  arc  depicted  in  Figure  L  The  remaining  part  of  this  section  describes 
the  various  NLP  and  ML  related  submodules  of  this  architecture  and  how  they 
can  be  applied  or  transformed  to  MLP  modules  for  malware  analysis. 

4.1  Lexical  Parser/Emulator/Dis assembler 

NLP:  For  NLP,  we  need  to  convert  a  sequence  of  characters  into  a  sequence  of 
tokens.  These  tokens  represent  the  terms  of  the  underlying  text.  The  conversion 
process  is  called  lexical  analysis.  By  using  lexical  parsers  such  kxs  the  Stanford 
Parser  [17],  we  are  able  to  extract  the  roles  of  terms  within  a  sentence  and  the 
relations  between  these  terms.  Depending  on  the  subsequent  processing  steps, 
this  could  range  from  a  superficial  analysis  identifying  some  key  grammatical 
concepts  to  a  deep  analysis  that  is  able  to  extract  fine  details. 

MLP:  Raw  machine  code  is  a  byte  sequence  that  contains  instructions  that  arc 
executed  by  the  processor.  In  addition,  most  of  the  av^ailablc  instructions  hav^e 
parameters  that  are  also  encoded  in  the  byte  sequence.  In  order  to  (extract  infor¬ 
mation  for  further  analysis,  we  need  to  process  this  byte  sequence  and  extract 
the  instructions  and  the  parameters.  In  a  simple  scenario  this  could  be  done 


NLP/MLP  Processing 


Semantic  Processing 


NLP 


MLP 


Lexical  Perser  | 

Emulator/Disassembler  I 

POS  Tagging  | 

POC  Tagging 

POS  Filter  j 

POC  Filter 

Lemmetization  | 

1 

1  Lemmatization  j 

Semontic  Network  Generetion 


Activation  Pettem  Generation 


External  Kriowiedge 


Analysis 


Unsopervised  Analysis 

1 

1  Semantic  Search  j 

1  Semantic  Relations 

1 

1  Supervised  An^ysis 

Fig.  1.  MLP  vs.  NLP  Processing 


Fronj  NLF^  to  MLP 


20 1 


with  a  (li.sas.seinhlcr  that  extracts  iiistnictioiis  from  a.  givc’ii  byte  se(|ueiice.  llow- 
e\'('r.  (hie  to  branch  operations  such  as  jiiip  or  call  tlu'sc  byte  sequence  is  not 
pr()('ess(Hl  by  tli('  CPU  in  a  linear  way.  Thus,  in  order  t(3  extract  the  instruction 
chain  the  way  it  is  executed  on  a  CPU,  we  need  to  employ  emulators  or  execute’ 
th(’  cod(’  directly  on  the  CPU.  For  the  example  presented  later  in  this  work,  w(’ 
utilize  the  PTRACE  sy.stem  call'^  on  linux  to  (’xc’cute  code  directly  on  the  CPU 
(s('e  Section  5.1  for  a  more  detailed  d('scription).  By  applying  such  metluKls  to 
tlu’  raw  !)yte  s(’queiiee.  we  are  able  to  extract  and  inspect  the  instructions  chains 
ex('cnted  on  the  CPU.  In  analogy  to  NLP  tlu’sc’  instruction  chains  repri'sent  tlu’ 
written  text,  which  ikhhIs  to  b(’  aiialyzc’d.  Similar  to  NLP  the  deepiu^ss  of  tlu’ 
analysis  di’pcaids  on  the  applic’d  method.  These  methods  range*  from  extracting 
the  instructions  and  their  execution  order  to  more  complicated  methods  capable 
of  identifying  more  coinph’x  striictnrc’s:  eoiistrncts  such  as  loops,  the  nec(\ssarv 
prf’paration  for  ex(*entiiig  interruj)ts,  l)ranching  c'te. 

4.2  POS  (Part-of-Speech)  Tagging,  POC  (Part-of-Code)  Tagging 

NLP:  POS  tagging  can  also  be  sc'en  as  part  of  tlu’  lexical  analysis  descrilx’d  in 
th('  i)r(’vious  section.  However,  since  it  plays  an  important  role  for  text  analysis, 
we  d(’S(’ribe  it  as  separate  proc’ess.  In  NLP,  Part-of-Speeeh  tagging  is  the  procc’.ss 
of  identifying  the  role  of  each  t(’rm  in  a  s(’ntence.  The  following  (’xaniple  shows 
th(’  POS  tags  for  a  given  sentc’nce:  Ilrllo^RB  RPRP  mn.VBP  a.DT  liftlc.J.I 
srntf  jice^NN  trying-VBC  to.TO  fiiid.VB  my.PRP  placf-^NN  wifbhi.IN  fhis.DT 
tcji-NN  ._.  The  tags  were  o])tain('d  by  using  the  online’  interfac’e  of  the  Stanford 
parser'^,  where  for  example  NN  indi(*at(’s  nouns  and  VB*  identific’s  vc’ibs  and 
tlunr  difh’re’iit  modes.  POS  tags  an*  used  for  subsequent  procc’ssing  steps,  whi('h 
iiu  lude  the  filtcTing  of  terms  acrording  to  tln’ir  tags  and  establishing  ivlations 
Ix’twc’en  tc’inis  in  a  sx’inantic  network  ac'cording  to  these  tags. 


MLP:  Obviously,  there  are  no  nouns,  verbs  or  relatc’d  concepts  in  machine  cod(’. 
hut  then’  are  similar  concepts  that  (ould  b(’  used  to  tag  single  in.st  met  ions.  We 
(‘all  tlu’se  tags  Part-OLCodc  (POC)  tags.  For  the  (’xainple  presented  in  Section 
5  we  tag  the  instructions  according  to  their  functionality  which  r(’snlts  in  the  fol¬ 
lowing  ('at('gori(\s:  control  flow,  arithmet  i(‘,  logic.  sta(‘k,  (’omparison,  inov(’,  string, 
bit  manipulation,  flag  manipulation,  floating  point  unit  iiistrnctic^ns,  other. 

4.3  POS/POC  Filtering 

NLP:  Dep(’n(ling  on  tlu’  subseqiu'nt  analysis,  it  makes  sense  to  k(’cp  only  terms 
with  certain  POS  tags.  For  tlu’  (’-Parti(*ipation  related  text  analysis,  we  only 
kc'cp  nouns,  verbs  and  a(lje(4iv(’s  since  the  already  conv(’y  a  large  part  of  tlu’ 
inforniation  within  the  text. 

^  http://liniix.die. net /nian/2/ptrace 
http://iilp.stanford.e<Iii:8080/parser/ 


262  P.  Teufl,  U.  Payer,  and  G.  Lackner 


MLP:  According  to  the  determined  POC  tags,  we  can  easily  define  filters  that 
allow  ns  to  focus  on  branching  behavior,  arithmetic  operations,  logical  opera¬ 
tions  etc. 

4.4  Leinmatization 

NLP:  Before  proceeding  with  the  NLP  analysis  of  POS  tagged  text,  it  makes 
sense  to  derive  the  lemmas  of  the  remaining  terms.  By  doing  so  we  avoid  the 
ambiguity  of  different  forms  such  as  inflected  terms  or  plural  forms.  For  exam})le 
the  term  bought  would  be  mapped  to  its  lemma  buy  for  further  analysis. 

MLP:  When  applying  this  process  to  machine  code,  we  need  to  ask  ’'What  is 
the  lemma  of  an  assembler  instruction?”.  There  is  not  a  single  answer  to  this 
question,  but  there  are  several  concepts  that  could  be  used  for  lemmatizatioii: 

-  Instruction  without  parameters:  In  this  case  we  strip  away  the  {)arani- 
eters  of  an  instruction  and  use  the  instruction  as  lemma. 

-  Mapping  of  instructions:  Instructions  that  belong  to  the  same  family 
could  be  mapped  to  one  instruction.  An  example  would  be  the  mapping  of 
all  niov  derivates  to  one  instruction. 

-  High  level  interpretation:  In  this  case  we  focus  on  the  operations  per¬ 
formed  by  the  instructions  and  not  the  instructions  themselves.  E.g.  the 
instructions  and  their  parameters  xor  eax,eax  or  niov  eax,0  or  the  chain 
mov  eax,5;  sub  eax,5  all  have  the  same  effect  the  eax  register  con¬ 
tains  the  value  0.  As  we  see,  this  effect  can  be  achieved  by  using  various 
instructions  or  instruction  chains.  Such  techniques  are  typically  employed 
by  polymorphic  and  inetamorphic  engines  trying  to  camouflage  their  real 
purpose  by  changing  the  signature  of  each  generated  instance. 


4.5  Creation  of  the  Associative/Seinantic  Network 

In  this  stej)  we  create  the  semantic  or  associative  network  that  stores  the  in¬ 
formation  on  how  different  features  are  related.  In  case  of  NLP,  the  terms  of 
a  text  are  the  features  and  the  relations  are  defined  by  the  co-occurence  of 
terms  within  sentences.  For  MLP,  the  features  are  represented  by  instructions 
and  the  relations  between  instructions  are  based  on  the  co-o(Turencc  of  these  in¬ 
structions  within  chains.  We  note  that  although  these  relations  are  rather  simple 
they  already  convey  important  information  for  further  analysis  (see  Section  6  for 
possil)le  improvements).  The  semantic  network  is  generated  in  the  following  way: 

NLP:  For  each  sentence,  we  apply  the  following  procedure:  For  eacii  different 
term  (sense)  within  the  analyzed  text  corpus  we  create  a  node  within  the  as¬ 
sociative  network.  The  edges  between  nodes  and  th(ur  weights  are  determined 
in  the  following  way:  All  senses  within  a  sentence  are  linked  within  the  asso¬ 
ciative  network.  Newly  generated  edges  get  an  initial  weight  of  1.  Every  time 
senses  co-occur  togetluT.  we  increase  the  weight  of  their  edges  by  1.  In  addition, 


From  NLF"  to  MLP 


263 


\v('  store  the  type  of  ooniu'ction  for  eac^li  edge.  Exaini)les  for  these  types  an' 
iionii-toiiouii  links,  iioiui-to-verb  links  or  adjeotive-to-adverh  links.  By  using 
this  infoiniation  when  applying  SA  algorithms,  we  are  able  to  constrain  the 
.spreading  of  activation  values  to  certain  type's  of  relations. 

MLP:  In  nia<‘lnne  code,  se'iitences  as  we  know  them  from  text,  do  not  ex¬ 
ist.  However  we  ean  find  other  t('ehniqnes  that  separate  instruction  chains  in  a 
iiK'aningfiil  way: 

Using  branch  operations  to  limit  iiistriictioii  chains:  For  this  method, 
we  use  branch  operations  such  as  jinp.  call  to  identify  the  start/end  of  an 
instruction  chain.  We  have  already  siicc'ssfnlly  apj:>lied  this  method  in  prior 
work  ([3]), 

-  Number  of  instructions:  We  could  simply  defiiK'  a  window  with  size  n 
that  take  ii  instruct  ions  from  the  instriK  tion  (liaiiis. 

Regardless  of  tlu'  method  for  the  extraction  of  instruction  chains,  the  network 
is  generated  in  the  same  way  as  for  tlu'  text  data, 

4.6  Generation  of  Activation  Patterns 

Inlorniation  about  the  relations  l)('tw(*en  terins/instriK  tions  can  Ix'  extractc'd 
by  applying  the  SA-algorithm  to  the  network.  For  each  s('nt(‘ne('/in.struction 
chain,  \\c  can  detenniiu^  the  corres])onding  nod('S  in  the  network  representing 
the  values  ston'd  in  the  data  v(H‘tor.  By  activating  these  nodes  and  applying  SA. 
we  can  spread  the  activation  according  to  the  links  and  their  associated  wt'ights 
for  a  ])redefined  inimlx'r  of  iterations.  After  this  i)rocess.  we  can  determine  the 
activation  value  for  each  node  in  the  network  and  represe'iit  this  information 
in  a  v('ctor  -  tlu'  AcHvafion  Paffcii}.  The  areas  of  th('  <Lssoeiative  lu'twork  that 
are  aetivatc'd  and  the  strength  of  the'  activation  gives  information  about  which 
terins/iiist ructions  oc'ciirred  and  which  nodes  are  strongly  related. 

4.7  Analysis  of  Activation  Patterns 

The  activafioii  patfniis  generated  in  the  previous  layers  are  the  Ixisis  for  applying 
supervised  and  nnsii|)ervist'd  Machine  Learning  algorithms.  Rirthermore,  \v('  can 
iinpleinent  semant  ic  awan'  search  algorithms  based  on  SA. 

Unsupervised  Analysis:  llnsui)ervis('(l  analysis  plays  an  important  role  for 
the  analysis  of  text,  since  it  allows  us  to  automatically  cluster  documents  or 
instruction  diains  according  to  their  similarity. 

Search  with  Spreading  Activation  (SA):  In  order  to  search  for  relatc'd  eon- 
c('pts  within  tlu'  analyzed  text  soiirees/instruetioii  chains,  we  apply  the  following 
pro(‘('dure.s: 


264 


P.  Teufl,  U.  Payor,  and  G.  Lackuer 


1.  The  user  enters  the  search  query,  which  could  be  a  coiubinatioii  of  terms  or 
instructions,  a  complete  sentence  or  instruction  chain  or  ev(ui  a  document 
containing  multiple  sentences  or  instruction  chains. 

2.  We  determine  the  POS/POC  tags  for  every  term/instructioii  within  the 
search  query. 

3.  Optionally,  we  now  make  use  of  an  external  knowledge  source  to  find  related 
terms/instructions  and  concepts  for  the  terms/instructions  in  the  query.  For 
NLP  such  an  external  source  could  be  WordNet  [14]  or  Wikipedia.  For  MLP 
we  could  use  reference  documentation  that  describes  all  available  instruc¬ 
tions,  their  parameters  and  how  these  are  related.  An  example  for  such  a 
source  is  the  Instruction  Set  Reference  for  Intel  CPUs"^. 

4.  We  activate  the  nodes  corresponding  to  the  terms/instructions  of  the  search 
query  and  use  the  SA  algorithm  to  spread  the  activation  over  the  associative 
network. 

5.  We  extract  the  activation  pattem  of  the  associative  network  and  compare  it 
to  the  document,  sentence  or  instruct  ion  chain  patterns  that  were  extracted 
during  tlu'  training  pro(‘ess.  The  patterns  are  sorted  according  to  their  sim¬ 
ilarity  with  the  search  pattern. 

External  knowledges  sources  such  as  Wordnet  can  be  quite  useful  for  improving 
the  quality  of  the  search  results.  In  order  to  highlight  some  of  tlu^  benefits,  we 
have  the  following  example  for  text-analysis.  As.sumiiig,  we  execute  a  search 
query  that  contains  the  term  fruit.  After  applying  SA.  we  get  the  relations  that 
were  generate<l  during  the  analysis  of  the  text.  However,  these  relations  only 
represent  the  information  stored  within  the  text.  The  text  itself  does  not  ex])lain 
that  apples,  bananas  and  oranges  are  in.stances  of  the  term  fruit.  Therefore  when 
searching  for  fruit  we  will  not  find  a  sentence  that  contains  the  term  apple  if 
the  relation  between  these  two  terms  is  not  e.stabhshed  within  the  text.  Thus,  it 
makes  sense  to  include  external  knowledge  sources  that  contain  such  information. 
For  NLP  we  can  simply  use  Wordnet  to  find  the  instances  of  fruit  and  activate 
these  in.stances  in  the  associative  network  before  applying  SA.  For  MLP,  such 
information  could  also  provide  vital  information  about  the  relations  between 
instructions.  In  a  similar  way  wo  could  issue  a  search  query  that  extends  the 
search  to  all  branch  or  arithmetic  instructions. 

Relations  between  Terms/Instructions:  The  trained  assr)ciative  network 
contains  information  about  relations  between  terms/instructions  that  co-occur 
within  sentences/instruction  chains.  By  activating  one  or  more  nodes  within 
this  network  and  applying  the  SA  algorithm,  we  are  able  to  retrieve  related 
terms/instructions. 

5  The  Real  World  —  Example 

In  order  to  show  the  benefits  of  a  possible  malware  analysis  architecture  based 
on  MLP,  wc  transform  the  existing  NLP  framework  and  apply  it  to  payloads 


http:/ /w\^^w. intel.com/ products/processor/ manuals/ 


F^Yoni  NLP  to  MLP 


2()5 


and  sliollcode  encoders  generated  by  the  Metas])loit  franu'work.  The  Metiisploit 
project  is  describt'd  in  this  way  on  the  project  website^:  Metasploit  provides 
useful  infonnation  to  people  ivfio  perform  penetration  testing,  IDS  signature  de¬ 
velopment,  and  exploit  reseoreh.  This  projeet  was  ereated  to  promde  information 
on  exploit  teehniques  and  to  create  a  useful  resource  for  exploit  developers  and 
secuiity  professionals.  The  tools  and  information  on  this  site  air  pivvided  for 
legal  security  research  and  testing  pui'poses  only, 

5.1  PTRACE  Utility 

For  the  lexical  analysis  of  an  arbitrary  byte  seqneiu  e  we  have  dev('loj)ed  a  simple 
tool  bivsed  on  the  PTRACE  system  call®  on  Linux, 

Single  stepping:  By  utilizing  PTRACE  we  are  able  to  instruct  the  pro¬ 
cessor  to  perforin  single  ste])ping.  This  enables  us  to  inspect  each  executed 
instruction,  its  parameters  and  the  CPU  registers. 

-  Execution  of  arbitrary  byte  sequences:  The  utility  follows  each  instruc¬ 
tion  chain  until  the  bounds  of  the  byte  sequence  are  reacln'd.  the  inaxiniinii 
number  of  loops  is  reached  or  a  fault  occurs.  Whenever  oiu'  of  these  condi¬ 
tions  is  fnlfilk'd,  tlu'  tool  searches  for  a  new  entry  point  that  has  not  alread\' 
been  executed.  By  applying  these  technique  we  are  able  to  find  executable 
instruction  chains  even  if  tluy  are  embedded  in  other  data  (e.g,  images, 
network  traffic). 

Blocking  of  interrupts:  The  analysis  of  the  payloads  and  encoders  geiu'r- 
ated  by  Metasploit  is  rather  siinj)le.  In  order  to  k(‘ep  payloads  from  writing 
oil  the  harddrive,  we  sinij)le  block  all  interrupts  encountered  by  the  tool. 
Detection  of  seif  modifying  code:  Such  behavior  is  typical  for  a  wide 
range  of  encoders/de(‘oders  that  encode  the  actual  payload  in  order  to  hide 
it  from  IDS  systems.  Typically  the  actual  payload  is  decoded  (or  decrypted) 
by  a  small  decoder.  After  this  process  the  plain  j)ayload  is  executed.  Since 
this  d('codiiig  process  changes  the  byte  sequence,  it  is  easy  to  deU'ct  when 
the  decoder  has  finishetl  and  jumps  into  the  decoded  j)ayload. 

Dumping  of  instructions:  The  tool  makes  use  of  tlu'  libdisasiii  library^ 
to  disassemble  instructions.  For  each  CPU  .stei),  we  dump  the  iii.st ruction, 
its  parameters  and  the  category  it  belongs  to. 

5.2  Metasploit  Data 

Metasploit  offers  a  coniinaiid  line  interface  to  generate  and  encode  payloads. 
We  have  used  this  interface  to  extract  various  payloads.  Furthermore,  we  have 
encoded  a  payload  with  different  shellcode  encoders  including  the  imlymorplhc 
shellcode  encoder  shikata-ga-nai.  As  dump  format  we  have  used  the  unsigned 
char  buffer  format.  In  ordcM*  to  aj^ply  MLP  techniques  we  use  the  existing  NLP 
arcliite(‘tnre  as  b<isis  and  add  or  modify  existing  ])higins  for  MLP  processing: 

■'*  http:/ / WWW. met asploit .com / 

^  http; //linnx. die. net /nian/2/ptrtu:e 
'  http://biustard.sourceforge.net/hbdisasm.htmI 


266  P.  Tcu6,  U.  Payer,  and  G.  Lack  nor 


—  Lexical  Analysis:  For  the  extraction  of  the  instruction  chain  we  use  our 
ptrace  utility.  The  extracted  chains  contain  the  executed  instructions,  their 
I)araineters  and  th('  instruction  category.  We  do  not  consider  the  parame¬ 
ters  for  further  processing.  The  instruction  chains  are  seperated  into  smaller 
chains  by  using  control  flow  instructions  (e.g.  jmp,  call,  loop)  as  separator. 
In  analogy  to  NLP,  these  sub  instruction  chains  are  considered  ^us  ’‘sentences” 
whereas  the  whole  payload/encoded  payload  is  considered  as  ’’document”. 

—  Tagging:  Similar  to  a  POS  tagger,  we  can  use  a  POC  tagger  for  MLP.  In 
this  case  this  tagger  uses  the  hi.struction  category  as  tag.  We  consider  all 
tags  for  further  analysis  and  do  not  apply  a  filter. 

—  Lemmatization:  Except  for  dropping  the  parameters,  we  do  not  em{)loy 
further  leininatization  operations. 

—  Semantic  network  generation:  We  apply  the  same  semantic  network  gen¬ 
eration  process  as  used  in  the  NLP  architecture. 

—  Activation  pattern  generation:  This  is  also  based  on  the  same  process 
that  is  used  for  the  NLP  architecture.  For  each  sub  instruction  chain  (sen¬ 
tence),  we  activate  the  nodes  corresj)oiiding  to  the  instructions  within  the 
chain  and  spread  the  activation  over  the  semantic  network.  We  do  not  make 
use  of  any  external  knowledge  source. 

—  Analysis:  We  show  some  examples  for  the  analysis  of  the  extracted /encoded 
payloads:  Unsupervisf^l  clustering,  finding  relations  between  instructions  and 
semantic  search. 

5.3  Relations 

For  text-analysis  we  often  lU'ed  to  find  terms  that  are  closely  related  to  a  given 
term.  An  exampde  from  the  e-Partieipation  data  analysis  is  shown  in  Figure  2(a). 
We  use  the  term  vehicle  and  extract  the  related  terms  from  the  the  semantic 
network.  Some  examples  for  related  terms  are:  pollution,  climate  change, 
car,  pedestrian  and  pedestrian  crossing.  These  relations  are  stored  in  the 
semantic  network  that  was  generated  during  the  analysis  of  the  text  data.  In 
MLP,  we  can  ai)ply  exactly  the  same  procedure.  For  the  following  example  we 
want  to  find  instructions  that  are  related  to  XOR  within  the  dataset  consisting 
of  subchaiiis.  In  this  case  relation  means  that  the  instructions  co-occur  within 
the  same  chain.  By  issuing  the  query  for  xor,  we  get  the  following  related  in¬ 
structions:  push,  pop,  iiic,  add,  dec,  loop.  These  results  can  be  explained 
by  having  a  closer  look  on  the  decoding  looi)s  of  various  decoders  (shikata-ga- 
nai,  countdown,  alidia-mixed)  shown  in  Table  1.  The  utrlitzatioii  of  these  other 
instructions  is  necessary  for  reading  the  encoded/encoded  shellcode,  performing 
the  actual  decoding  and  writing  the  decoded  shellcode  back  onto  the  stack.  Due* 
to  the  unsupervised  analysis  and  the  semantic  network  we  are  able  to  find  these 
relations  without  knowing  details  about  the  underlying  concepts. 

5.4  Semantic  Search 

The  previous  example  shows  that  due  to  the  semantic  network  and  the  links 
within  this  network  we  an*  able  to  find  relations  between  terms/instructions. 


From  NLP  to  MLP 


2(»7 


street 
air  pollution 

pedestrian 

automobile 


commodity  price 

small  town  Austria 

i^) 


SOmph 

climate  change 
time 

V6hicl6  opposrtBlane 

pedestnan  crossing 
law 


pop  loop 
push 


add 


jnz 


imul 


(b) 


cmp 


Fig.  2.  NLP  -  FU'latiou  betwcMMi  (a)  and  MLP  -  relations  hetweon  instructions  (b) 


Table  1.  Soinantic  search  results  for  instruction  add 


Result 

Decoder 

Instruction  chain 

Description 

1 

shikata-ga-nai 

xor  add  add  loe)p 

De'coder 

2 

shikata-ga-nai 

xor  inov  fiisteiiv  pejp  mov  xor  aeld  add  loop 

Dec*odor  se'tuj> 

.4 

iionaipha 

po])  mov  add  mov  cmi)  jge 

Decoder  setup 

4 

fiistonv-mov 

x()r  snb  loop 

De'coder 

5 

countdown 

xe)r  loe)]) 

Decoder 

These  ndations  can  also  be  used  for  executing  stunantic  aware  stvirch  (jiu'ries. 
In  order  to  highlight  the  hcMU'fits,  we  first  pr(\sent  a  simple  example  taken  from 
text-analysis.  Assuniiiig  we  have  two  sentences^ A  and  B:  A:  "Evidence  .sngg(\st.s 
flowing  water  formed  the  rivers  and  gullies  on  tlie  Mars  surface,  even  tliotigli 
surface  temperatures  were  below  fn'e/iiig"  and  B;  "Dissolved  minerals  in  litjnid 
water  may  be  the  reason".  When  w(*  search  for  tlie  term  Mars  w('  obviously 
are  able  to  retrieve  sentence  A.  However,  since  stuitence  A  talks  about  water  on 
Mars,  we  also  want  to  find  sentence  B  that  adds  further  details  coneerning  the 
term  water.  Since  the  term  Mars  is  not  in  sentence  B  we  need  to  make  use  of 
the  relations  stored  in  the  semaiitie  network  in  order  to  include  .sentence  B  in  the 
search  results.  The  same  procedure'  can  he  appliexl  to  MLP.  For  the  following 
example  wc  search  for  instruction  chains  that  are  related  to  the  in.stniction 
add,  which  plays  a  role  in  various  shellcocle  decoders.  The  results  are  shown 
in  Table  1.  Obviously,  th('  algorithm  returns  decoders  with  an  add  instriu  tion 
first,  since  these  have  the  h(‘.st  matching  }^atterii.  However,  at  position  4  and  5 
\\v  also  retrieve  decoding  loops  of  other  decoders  that  do  not  make  ns('  of  the 
add  instruction.  We  are  able  to  find  these*  decoding  loe^ps  since  they  u.se  otlu'r 
iii.st ructions  that  are  typical  for  such  loops:  xor,  sub,  loop.  Due  to  the  relations 
(*reat('d  by  the  decoding  l<3ops  of  shikata-ga-nai,  add  is  linked  with  those*  anel 
similar  instriietioiis.  Thus,  we  are  able  te)  re'trieve  these  other  eioroeler  le)ops  that 
ele)  not  contain  the  add  instruction,  hut  have  similar  tasks. 


^  Take  from  the*  article:  NASA  Scientists  Find  Evidence  for  Lieiuid  WatcT  eui  a  Froz('u 
Early  Mars,  May  28tli.  littp://spacefellow.shiincoin 


2G8  P.  Tcufl,  U.  Payer,  and  G.  Lackner 


5.5  Clustering 

By  clustering  whole  execution  chains  or  sub  chains  (e.g.  loops)  into  clusters,  we 
are  able  to  categorize  different  execution  chains  automatically.  For  iinsnpervised 
clustering  we  apply  the  RGNG  [16]  cluster  algorithm  to  the  activation  patterns  of 
the  siibchaiii  dataset.  By  choosing  a  rather  simple  model  complexity,  we  retrieve 
4  clusters:  Cluster  1  p)rimarily  consists  of  the  decoding  loops  of  alpha-upper 
and  alpha-mixed.  Since  both  decoders  have  similar  tasks  (but  not  the  same 
instruction  chains),  they  are  categorized  within  the  same  cluster.  Cluster  2  and 
Cluster  4  contain  the  polymorphic  decoding  engines  of  shikata-ga-iiai.  By  ob¬ 
serving  the  instruction  chains  of  those  both  clusters  we  see  that  Cluster  2  has 
chains  based  on  add  instructions  whereas  Cluster  4  consists  of  those  chains  that 
employ  sub  instructions.  This  is  a  perfect  example  why  it  could  make  .sense  to 
employ  external  knowledge  to  gain  additional  information  about  the  analyzed 
instructions.  In  this  case,  add  and  sub  could  be  mapi)ed  to  arithmetic  instruc¬ 
tions  which  would  result  in  the  categorization  within  the  same  cluster.  Cluster  3 
contains  chains  related  to  decoding  engine  setup  and  the  nece.ssary  j)reparations 
for  calling  an  interrupt  (typically  the  payload  itself). 

6  Conclusions  and  Outlook 

In  this  paper  we  present  a  MLP  architecture  for  malware  analysis.  This  archi¬ 
tecture  is  the  result  of  adopting  an  existing  NLP  architecture  to  the  analysis 
of  machine  code.  We  map  existing  NLP  modules  to  MLP  modules  and  describe 
how  established  NLP  processes  can  be  transferred  to  malware  analysis.  In  order 
to  show  some  of  the  possible  applications  for  such  an  MLP  architecture,  we  ana¬ 
lyze  different  shellcode  engines  and  payloads  from  the  Metasploit  framework.  The 
presented  malware  architecture  can  be  seen  as  the  first  step  in  this  direction. 
There  are  further  promising  techniques,  which  would  increase  the  capabilities 
and  the  quality  of  the  analysis  process: 

—  Improved  lexical  parsing  in  order  to  allow  the  identification  of  more  conqdex 
structures  such  as  loops,  preparations  for  interrupts,  etc. 

—  Due  to  improved  lexical  parsing,  more  relations  could  be  stored  in  the  seman¬ 
tic  network,  which  would  enable  more  detailed  or  focused  analysis  processes. 

—  High  level  interpretation  of  the  undc'rlying  machine  code. 

—  Extending  the  MLP  framework  to  high  level  languages  such  as  .Iava.script. 

All  of  these  suggested  improvements  have  corresponding  elements  within  NLP 
and  are  partly  already  solved  there.  This  means,  that  we  might  be  able  to  apply 
some  of  the.se  techniques  directly  in  MLP  or  adapt  them  for  MLP.  As  next  step 
we  will  identify  more  suitable  NLP  techniques  and  adopt  them  to  MLP  modules. 
Finally,  we  especially  want  to  thank  P.  N.  Sugaiithan  for  providing  the  Matlab 
sources  of  RGNG  [16]. 


From  SIP  to  MLF 


2G9 


References 

1.  Tciifl.  P.,  Payer.  U.,  Parycek,  P.:  Aiitoinated  analysis  of  e-partiripatioii  data  by 
utilizing  associative  networks,  spreading  activation  and  in  i  super  vised  learning.  In: 
Macintosh,  A.,  laniboiiris,  E.  (eds.)  Electronic  Participation.  LNCS,  vol.  5694,  pp. 
139  150.  Springer.  Heidelberg  (2009) 

2.  Payer,  U.,  Tenfl.  P.,  Kraxherger,  S.,  Larnberger,  M.:  Massive  data  mining  for  poly¬ 
morphic  code  detection.  In:  Gorodetsky,  Vb.  Kotenko,  I.,  Skonnin.  V.A.  (eds.) 
MMM-ACNS  2005.  LNCS.  vol.  3685,  pp.  448  453.  Springer,  Heidelberg  (2005) 

3  Payer.  U.,  Tenfl,  P.,  Larnberger,  M.:  Hybrid  engine  for  polymorphic  code  detec¬ 
tion.  In:  Julisch,  K.,  Kriigel.  C.  (eds.)  T31MVA  2005.  LNC’S,  vol.  3548.  pp.  19  31. 
Springer,  Heklelberg  (2005) 

4.  SniibeltSoftware  (Cwsandbox  -  automatic  behavior  analysis  of  malware) 

5.  Norman,  Norman  sandbox:  A  virtual  environment  where  programs  may  perform 
in  safe  surroundings 

6.  Vasiulevan.  A.,  Yerraballi,  R.:  Cobra:  Fine-grained  nialwan^  analysis  \ising  .stealth 
localized-ex('<’ntions.  hr.  IEEE  Syinposimii  on  Security  and  Privacy,  pp.  261  279 
(2006) 

7.  Song,  D.,  Brimdey,  13.,  Yin,  fl.,  Caballero,  ,J.,  Jager,  L.  Kang,  M.G.,  Liang.  Z., 
Newsome,  J.,  Poosankam.  P..  Saxena.  P.:  Bitblaze:  A  lU'w  approach  to  comiiiib'r 
security  via  binary  analysis.  Iir.  Sekar.  R.,  Pujari,  A.K.  (eds.)  ICISS  2008.  LNCS. 
v'ol.  5.352,  pp.  1  25.  Springer,  Heidelberg  (2008) 

8.  Microsoft,  Natural  language  processing  group:  Red iiioi id-based  natural  language 
proce.ssing  group 

9.  Stanford,  Natural  language'  processing  group:  Natural  language  processing  group 
at  Stanford  university 

10.  Aliixs-i,  Liiigpipe:  A  suite  of  java  libraries  for  the  linguistic  analysis  of  human 
language 

11.  Tsatsaronis.  G.,  Vazirgiannis,  M.,  Androntsoponlos.  1.:  Word  sense  disambiguation 
with  spreading  activation  networks  generated  from  the.sauri  In:  Wlo.so,  M.M.  (ed.) 
I.ICAI  2007  (2007) 

12.  Qnillian.  M.R.:  Semantic  iiiemory.  MIT  F’ress.  (Cambridge  (1968) 

13.  Crestani,  F.:  Application  of  spreading  activation  techniques  in  information  re¬ 
trieval.  Artificial  Intelligence  Review  11,  453  482  (1997) 

14  Fellbamn,  C.:  WordNet:  An  Electronic  Lexical  Databruse  (Language,  S])e(‘ch,  and 
Coininnnication).  The  MIT  Press,  Cambridge  (1998) 

15.  Kozima.  11. :  Similarity  betwei'ii  words  computed  by  spreading  activation  on  an 
english  dictionary.  In:  EACL,  pp.  232  239  (1993) 

16.  Qin,  A.K..  Suganthan.  P.N.:  Robust  growing  neural  gas  algorithm  with  application 
in  cluster  analysis.  Neural  Netw.  17,  1135-1148  (2004) 

17.  Klein,  D.,  Manning.  C.D.:  Fast  exact  inference  wuth  a  factored  model  for  natural 
language  parsing.  In:  Advances  in  Neural  Information  Processing  Systems  (NIPS), 
vol.  15.  pp.  3  10.  Mrr  Press.  C^ambridge  (2002) 


Secure  Multi- Agent  System  for  Multi-Hop 
Environments 


Stefan  Kraxbcrger,  Peter  Danner,  and  Daniel  Heiii 

Institute  for  Applied  liifonnation  Processing  and  Coininunicatioiis  (lAIK), 
Graz  University  of  Technology,  Inffeldgasse  16a,  A  8010  Graz,  Austria 
{skraxberger ,  pdanner ,  dhein}Qiaik .  tugraiz .  at 


Abstract.  Multi- agent  systems  allow  a  multitude  of  heterogenous  sys¬ 
tems  to  collaborate  in  a  simple  manner.  It  is  easy  to  provide  and  gather 
information,  distribute  work  and  coordinate  tasks  without  bothering  with 
the  differences  of  the  underlying  systems.  Unfortunately,  multiple  net¬ 
working  and  security  problems  arise  from  the  dynamic  behavior  of  multi- 
agent  systems  and  th('  distributed  heterogeneous  environments  in  which 
they  are  used.  With  our  work  we  provide  a  solution  enabling  secure 
collaboration  and  agent  execution  as  well  as  agent  mobility  in  multi¬ 
hop  environments.  We  achieve  this  by  using  a  secure  unstructured  P2P 
framework  as  communication  layer  and  integrate  it  with  a  well  known 
multi-agent  .system. 

Keywords:  Security,  Multi-Agent  Systems,  Multi-Hop  Networks,  Peer- 
to-Peer. 


1  Introduction 

Multi-agent  systems  (MAS)  have  been  ii.sed  to  solve  problems  that  are  out  of 
reach  for  stand-alone  or  monolithic  systems.  Examples  of  problems  to  which 
innlti-agent  systems  have  been  applied  include  eontrol  systems  [1],  [2],  timetable 
eoordinatioii  [3],  disaster  resi)ons('  [4],  [5].  MAS  are  especially  ])romising  for  disas¬ 
ter  response  scenarios.  Since  the  specific  tasks  of  such  scenarios  like  information 
gathering,  on-deniand  comi)utation,  information  distribution,  and  team  coordi¬ 
nation  are  well-suited  for  MAS. 

In  close  relation  to  MAS  we  find  the  pieer-to-peer  (P2P)  concept.  Structured 
P2P  systems  are  vc'ry  prominent  since  they  are  well  fitted  for  data  storage  and 
distribution.  Their  internal  organization  and  function  is  optimized  for  addressing 
(lata  in  a  distributed  environment.  Conversely,  they  are  ill  suited  for  the  pnrj)ose 
of  a  general  overlay  network  that  provides  general  eonnnnnication  and  resource 
sharing  fnnetious.  Unstructnrc'd  P2P  networks  are  ideal  for  establishing  a  general 
overlay  since  they  only  provide  the  means  of  organizing  the  overlay  topology  and 
providing  connectivity  between  the  separate  nodf«. 

Besides  all  the  functions  which  have  been  enabh'd  by  multi- agent  and  peer- 
to-peer  systems,  new  kinds  of  network  security  threats  have  been  introduc  ed  [6, 
7.8,9]  as  well.  These  new  threats  are  much  more  difficult  to  address  because 


1.  Kotenko  and  V.  Skormin  (Eds. )r  MMM-ACNS  2010,  LNCS  6258,  pp.  270  283,  2010. 
0  Springer- Verlag  Berlin  Heidelberg  2010 


Secure  Multi- Agent  System  for  Multi-Hop  Eiivironiiients  271 


of  the  composition  and  distributed  nature'  of  tlu'se  systems.  Malicious  or  selfish 
nodes  ('an  distract,  disturb,  obstruct  and  impede  the  con^ct  excTiition  of  P2P 
systrnns  often  with  little  effort  [10,11,12].  In  a  P2P  system  every  entity  is  equal. 
Every  ('utity  provich's  the  sanu*  set  of  functions.  In  a  centralized  system  this  is 
restricted  to  a  select  few.  This  fact  necessitates  global  protection  of  all  entities 
and  their  interactions. 

Tile  main  (‘ontribiition  of  onr  work  is  to  first  enable  multi-agent  systems  {o 
work  in  luulti-liop  environments  and  second  to  pnnide  means  to  do  tliat  in  a 
secure  manner.  Onr  work  provider  a  comprehensive  .solution  for  building  a  .lava- 
liased  innlti-ageiit-systcnii  with  a  secure  p('('r-t()-p('er  communication  layer.  We 
ns('d  the  two  existing  systems  JADE  and  the  Secure  F^2F^  framework  (SePP).  and 
integrat('d  tlmni  using  the  .lADE  comniiniication  iiitc'iface.  Out  of  tlic'  box  th(' 
communication  in  JADE  is  based  on  Remote  Method  Invocation  (RMI),  which 
only  guarantees  en(l-to-('nd  security  via  SSL  encryption.  Our  approach  relii's 
on  a  p('er-to-p('er  system  to  guarantee  not  only  authentication.  iut('grity  and 
confidentiality  in  direct-connectc'd  networks  but  also  in  multi-ho|)  environments. 
In  addition.  SePP  is  basc'd  on  a  scalable  security  concept  that  allows  to  adjust 
th('  security  in<?asures  according  to  the  ne('ds  and  eapabilitic's  of  participating 
(kwices. 

SiibscHpieiitly.  we  prc'sent  how  the  JADE  agent  middlew^are  and  the  SeFH^ 
framc'work  can  Ix'  (‘ombined  to  develop  a  .secure  multi-agent-systein  for  multi- 
hop  eiiviromiK'iits.  Wo  briefly  outline  the  (h'sign  and  implementation  of  SePP. 
Thereafter,  we  present  the  messaging  in  Jade  and  the  default  network  iinpleuieii- 
tation.  Our  implementation  is  ('oneisely  described  with  a  focus  on  the  specific 
solutions  such  iis  the  iiie.ssage  dispatcliing  or  the  transparent  proxy  generation. 
At  hkst  w('  provide  results  and  a  short  benchmark  which  eonipares  vanilla  JADF" 
and  our  implementation. 

2  Motivation 

MAS  technology  relies  heavily  oil  the  c'xistence  of  a  lu'tw^ork  infra.strncture.  Un- 
fortunalely,  in  case  of  an  emergency  it  can  not  be  assumed  that  an  infrastruc¬ 
ture  bound  network  is  fully  working.  EiiKTgencies  can  occur  in  isolated  regions 
wdiich  lack  tlu'  imces.sary  infrastructure  sucli  as  coinpieliensive  wared  or  ware- 
less  network  coverage.  Also,  a  disaster  which  caused  the  einergeney  could  hav(' 
(h'stroyed  or  disrupted  the  n'qiiired  infrastructure.  The  absence  of  a  function¬ 
ing  static  network  infrastrnctnre  necessitates  that  crucial  inforniatioii  for  oii-site 
('inergeney  response  must  be  made  available  through  mobile  ad-hoc  networks. 
Idc'ally,  this  nmchanisni  is  backed  by  fail-back  coniinnnieatioii  facilities  such  as 
eSM,  UMTS,  satellite  communieatiou,  and  TETRA.  The  information  recpiirc'd 
to  respond  properly  in  ease  of  eniergeiu'ic's  usually  consists  of  eonfidential  data 
iiuJuding  personal  health  records  or  electric  grid  maps  that  should  only  be  avail¬ 
able  to  authorizc'd  personiK'l.  Tims,  tlie  provision  of  network  comu'ctivity,  as  woW 
as  managing  access  to  confidential  data  during  the  emergency  rc'spousc'  operation 
is  a  substantial  network  s(^eurity  challenge. 


272  S.  Kraxberger,  P.  Danner,  and  D.  Hein 


cx)nriputing  sites  (e.g.  hospitals, 
blood  bank,...) 

J  Software  Agent 

Fig.  1.  Example  of  a  disaster  response  scenario  with  on-site  equipment 


To  illustrate  the  applicability  of  tli(»  secure  P2P  htised  agent  system  intro¬ 
duced  ill  this  paper,  wc  describe  a  real  life  scenario.  Tlu'  object  of  our  scenario 
is  a  mine  coiiiph'x  with  .several  stakeholders.  For  crisis  operations  it  is  essen¬ 
tial  that  all  relevant  documentation  is  made  available  to  the  emergency  services 
and  on-site  iiersoiial.  One  conceivable  emergency  situation  in  a  mine  complex 
is  the  collapse  of  several  tunnels.  A  solution  that  provides  access  to  all  reh'- 
vant  information  pertaining  to  the  affected  mine(s)  such  as  emergency  plans, 
legal  documents,  and  reports  of  mining  activities,  as  well  as  topographical  and 
cartographic  material  is  necessary.  By  applying  the  multi-agent  system  concept 
using  a  secure  f^2P  framework  as  connnunication  layer,  it  becomes  possible  to 
provide  a  secure  decentralized  solution  to  that  problem.  During  an  emergency 
different  organizations  have  to  cooperate.  This  includes  fire  and  rescue,  medical, 
and  police,  iis  well  as  other  emergency  services  .such  as  mine  rescue,  or  utility 
services.  Each  service  has  its  own  information  infrastructure  including  hard-  and 
software,  and  employs  different  security  mechanisms.  As  a  common  characteris¬ 
tic,  we  assume  that  if  security  measures  exi.st,  they  rely  on  cryptographic  keys 
and  functions. 

2.1  Security  Assumptions  and  Bootstrapping 

The  security  of  our  solution  relies  on  the  secrecy  and  authenticity  of  keys  stored 
in  nodes.  We  rely  on  the  following  keys  to  be  set  up,  depending  on  which  security 
level  is  nscxl  by  the  node: 

-  If  a  shared  secret  key  is  used,  we  as.snme  a  mechanism  to  set  up  a  secret 
key  for  a  network  with  7i  nodes. 


Secure  Multi* Agent  System  for  Multi-Hop  Environments  27‘i 

-  If  pub  lie- private  key  pairs  arc  used,  we  assiiiiie  a  incclianisni  to  set  up  one 
authentic  i)ublic-private  key  pair  for  each  node.  In  addition,  the  authentic 
pul)lic  keys  of  legitiniate  certificate  authorities  must  also  he  set  up  for  each 
node. 

To  set  iij)  shared  secret  k(\vs.  most  key  establishment  i)rotocols  involve  a  so-called 
tiiistcd  third  party  or  trusted  authoi'ity.  Sinc(\  w('  doiih  want  to  iiitroduc(‘  a  single 
point  of  failure  in  onr  system  such  protocols  are  not  apj)lical)le.  We  require  only 
one  shared  secret  key  instead  of  pair-wise  shared  keys  which  can  be  effi(‘i(m(ly 
handled  by  prc'-deployed  keying.  Thus,  we  can  either  use  a  single'  lu't work- wide' 
key  shared  by  all  iie^eles  or  a  set  of  keys  rande^nily  chosen  from  a  key  pe^ol  siiedi 
that  two  noele\s  will  share  one'  key  with  a  e:ertain  probability  [HI]. 

To  set  lip  public-i)rivate  ke'ys  we  use  an  e)ffline  PKI  approach  since  we  want  te) 
j)re‘ve'iit  a  single  i)oint  of  failure  and  want  to  allow  node  addition  during  system 
operation.  Thus,  the*  j)rivate  and  j)uhlic  key  Jis  we'll  as  the  trnstoel  antheuity’s 
publie'  ke'v  are  embe'dde'd  in  e'ae:h  noele.  The  public  ke'ys  e)f  otlie'r  ne^des  are  aii- 
theuiticateel  using  the  trusted  authority’s  i)ublic  key.  Using  such  a  system  allow^s 
us  te)  j)re)viele  the  rexpiire'el  authentication  but  it  is  not  j)e)ssible  to  haiieile  revo¬ 
cation.  In  orele'r  te)  also  enable  revocation  one'  e*aii  e'ither  use  a  elistribiiteel  PKI 
solution  siie'h  Jis  [14,15]  or  inij)leinent  a  distributee!  revocation  system  [16]. 

It  is  lU'ce'ssary  te)  note'  that  e)ur  system  is  not  inteiide'd  as  an  open  system.  We 
ele)n’t  alle)W'  arbitrary  noek's  te)  je)in  and  thereafter  establish  secure  communication 
through  key  agree'inent  siiie'e  tlu'se  mechanisins  eloiTt  proviele  imde  authentica¬ 
tion  in  the  absence  of  a  trustee!  authority.  Although  it  is  possible  that  arbitrary 
imeles  join  e)ur  syste'in,  se'cnrity  is  only  j)rovided  for  iioeles  w4iich  possess  authen¬ 
tic  creeleiitials.  Tlie'se'  legitiniate  nodes  e*aii  join  and  eommunicate  in  a  sevure' 
manner  establishing  a  virtual  private  overlay. 

3  Secure  P2P  Framework 

The  secure'  P2P  framewx)rk  (SePP)  is  a  e'e)inpreheiisive'  solution  for  establishing 
an  unst met n reel  P2P  network  in  a  secure  manner.  It  provides  se^enre  inee  haiiisiiis 
fe)r  e'reating  anel  maintainiiig  the  overlay  netw^ork,  establishing  anel  managing 
gre)ups  anel  se'ciirity  aelniinistration.  The  design  and  ini])lenie'ntation  of  all  these' 
ine'chanisms  and  pre)te)e*e)ls  is  based  on  a  simj)le  but  eflicient  security  concept  [17]. 
This  security  coiicej)!  has  be'eii  elesigneel  with  heterogeneous  niulti-he)p  netwH)rk 
environiiie'iits  in  mind.  Another  aspect  in  the  design  of  the  sercurity  concept  was 
coiiHgurability.  Thus,  giving  each  ne)ele  the  frc'celoin  to  sek'ct  its  desired  level  of 
se'e  urity  with  re'spe'e  t  to  its  capabilities. 

3.1  SePP  Security  Concept 

The  SePP  security  coiK('i)t  i)rovides  a  simple  w'ay  to  select  adequate  security 
iiK'asnres.  This  allow^s  achieving  a  specific  security  level  in  the  face  of  hetero- 
g('iieous  nodes  wuth  diverse'  capabilities.  The  features  of  a  security  concept  mv 


274  S.  Kraxhergcr,  P.  Danner,  and  D.  Hein 


of  course  iinportaiit.  Especially  in  our  case,  the  capability  to  support  powerful 
workstations,  as  well  as  constrained  mobile  devices  is  equally  important.  For 
the  remainder  of  this  document  we  call  this  scalability.  Givcni  our  scenario,  the 
security  concept  must  also  address  node  mobility.  Nodes  with  different  mobil¬ 
ity  patterns  must  be  able  to  participate  in  the  network.  Thus,  the  underlying 
mechanisms  have  to  cope  with  a  changing  environnient  in  a  secure  and  efficient 
manner.  The  last  characteristic  is  transparency.  Since  nodes  with  different  capa¬ 
bilities  can  parti{‘ipate  in  the  network,  the  achievable  seemity  level  of  a  specific 
communication  session  must  be  determinable  in  advance. 

All  secure  communication  mechanisms  are  considered  with  the  same  basic 
group  concept  in  mind.  A  group  is  simply  a  virtual  aggregation  of  an  arbitrary 
amount  of  nodes  which  follow  the  same  rules  and  use  the  same  j)rotocols.  Every 
node  can  communicate  with  any  other  node  inside  a  group.  Every  virgin  node 
belongs  to  a  default  group  after  it  has  joined  SePP.  Thereafter,  a  peer  can  create 
or  join  other  groups  which  are  composed  of  a  subset  of  the  peers  belonging  to 
the  default  group. 


3.2  Security  Levels 

There  are  three  different  aspects  of  security  which  apply  to  every  group: 

1.  Establishing  secure  cormnunication  (admission  security) 

2.  Performing  secure  communication  (data  security) 

3.  Upholding  secure  communication  (secret  pjvtcction) 

Establishing  secure  communication  relates  to  secure  group  administration.  It 
combines  entity  autlunitication  and  authorization,  stxure  neighborhood  mech¬ 
anisms  and  secure  bootstrapping.  Most  notably  the  join  process  is  addressed 
with  this  aspect.  After  successful  authentication  each  node  owns  a  secret  key 
which  is  shared  amongst  the  group  members.  This  key  is  called  session  key  and 
is  now  used  in  addition  to  existing  keys  in  order  to  increase  the  performance 
of  performing  secure  communication  between  group  members.  This  means  for 
instance  that  the  routing  information  is  protected  or  all  message's  are  protected 
groujvwise.  The  benefits  of  a  session  key  are  that  it  can  be  updated  to  protect 
against  side-channel  attacks  or  to  exclude  misbehaving  nodes  from  the  network. 
Upholding  secure  communication  relates  to  preventing  and  limiting  damage  from 
exposed  session  keys.  This  can  be  achieved  through  means  such  as  side-channel 
attack  protection,  malicious  peer  detection  or  session  key  refreshing.  The  overall 
security  for  SePP  can  be  set  individually  on  three  separate  axes.  These  three 
axes  conform  to  the  three  aspects  given  above.  In  figure  2  we  have  outlined  the 
different  aspects  of  sc'ciirity. 

For  simplicity  we  only  use  three  different  levels  of  security.  These  levels  are 
low  (0),  medium  (1),  and  high  (2).  Each  of  these  security  levels  can  be  chosen 
differently  for  ('very  security  asjx'ct  indei:)endently.  It  is  also  possible  to  create 
more  and/or  different  security  levels  depending  on  the  system  ri'quirements. 


Secure  Multi-Ageut  Systeui  for  Multi-Hop  Envirouineiils 


275 


Each  of  llic8('  security  levels  is  associated  witli  a  specific  kind  of  CRHleiitial  or 
cryptographic  key.  For  instance,  security  level  high  requires  each  nock'  to  possc'ss 
a  valid  and  legitimated  public  and  private  key  pair.  For  the  medium  level  tlu' 
nodes  must  possess  a  shared  .secret  key  for  authentication.  No  secret  information 
is  us('d  in  sc'curity  level  low.  Meaning,  that  if  the  security  level  low  is  selec'ted. 
every  nodc^  can  participate  in  the  network. 

Ill  figure'  3  nodes  are  grouped  into  different  security  levels.  The  peers  in  the 
light  grey  area  belong  to  security  level  incdium.  The  peers  in  the  dark  grey  arc'a 
belong  to  security  level  high.  All  peers  outside  these  areas  belong  to  security 
level  low.  Our  system  has  bc'cn  desigiu'd  in  sneli  a  way  that  peers  with  higher 
security  Icvc'ls  also  belong  to  the  lower  security  levels  and  are  provided  with  the 
rcquirc'd  crc'dentials  for  their  operation. 


Admission 

security 


Security  aspect 


Data  security 


Session  key 
protection 


Public/private 
key  pair 


Pre-shared 
secret  key 


None 


Message  auth  & 
encryption 


Message 

authentication 


None 


Key  refreshing  & 
SCA 

countermeasures 


Key  refreshing 


None 


Fig.  2.  Level.s  of  security  in  the  grou|)  concc'pt 


Fig.  3.  Overlay  network  topology  with  groups  of  ditTerent  security  levels 


276 


S.  Kraxherger.  P.  Danner,  and  D.  Hein 


4  JADE  Multi- Agent  System 

The  Java  Agent  Dovolopiiient  Fi-amework  (JADE)  is  a  middleware  which  sim¬ 
plifies  the  development  of  FIPA-coinpliant  agents.  It  provides  support  for  server 
and  desktop  eompnters  and  eonst rained  devices.  It  has  been  designed  under 
eoiisideratioii  of  scalability  and  supports  it  throughout  the  complete  develop¬ 
ment  cycle. 

JADE  commonly  uses  RMI  for  the  purpose  of  inter-agent  eomniunication. 
RMI  is  a  Java  technique  to  provide  method  invocation  over  a  TCP/IP  network. 
The  main-goal  behind  the  design  of  RMI  was  to  easily  provide  an  architecture 
where  code  eaii  dynamically  be  loaded  from  a  server.  This  is  achieved  facilitating 
a  client/server  architecture  and  object  serialization.  A  central  entity  for  method 
binding,  called  the  RMI  registry,  enables  methods  to  be  called  from  RMI  clients 
remotely  ev^eii  over  a  network. 

The  JADE  Message  Transport  Protocol  (MTP)  default  implementation  is 
based  on  Java  RMI.  Also,  the  current  version  of  JADE  possesses  a  well  defined 
interface  for  implementing  other  tran.sportation  protocols.  Unfortunately,  this 
interface’s  arehiteeture  is  heavily  RMI  orientated.  Thus,  any  optional  MTP  im¬ 
plementation  must  adapt  its  messaging  system  to  emulate  the  RMI  work-flow. 

4.1  JADE  Messaging 

In  order  to  understand  the  impleinentation  of  the  MTP  layer,  it  is  first  neces.sary 
to  iiiider.stand  how  JADE  .sends  messages.  Therefore,  we  now  de.scribe  JADE’s 
message  transmission  sequence.  In  the  following  we  have  to  distinguish  between 
the  main  peer,  which  is  responsible  for  managing  the  agent  platform  with  its 
nodes  and  services  and  the  remote  peer  which  uses  the  main  peer’s  interfaces 
through  proxies.  The  first  step  in  creating  an  agent  platform  is  to  instantiate  the 
main  peer.  Thereafter,  anew  MTPManager  is  created  and  the  PlaiformM onager 
is  used  to  adverti.se  the  JADE  Platform.  Finally,  a  Platform  Proxy  is  established 


Jade  Agent  Platfomi 


Host 


Agent 

Container 


SePP 


JRE 


Agent 

Container 


S«PP 

=rr- 

JRE 


Networit 


Agent 

Container 


SePP 


JRE 


Fig.  4.  Secure  Jade  Architecture 


Securt'  Multi- A  gout  System  for  Multi- 1  lop  Environments 


277 


1  fftadObiactn’i  I 

- - rr.  wm<»pi»h 


3 


3 


«  MndO 

r-^eL., 


16  dNptciH)  _ 


6  'Cca«v«M«Mag»<  i 

t3> 


.  w 


Fig.  5.  Message'  se'quenre' 


through  th('  speeifieatioii  of  the  main  pen's  ruldrc'ss  (lining  the  cremtion  of  the 
remote  p('('r.  With  this  proxy  th(‘  remote  peer  is  able  to  aeet'ss  all  the  fnnetions 
available  in  the  platform. 

After  the  K'lnote  and  main  peer  are  eoniiecti'd  we  ereate  a  JADE  node  on 
eaeh  peer.  Nodes  are  tlu'  agent  platform \s  inter-ag('nt  eommunieation  ineehaihsm. 
Each  node  is  assoeiatt'd  with  an  array  of  serviees  niiming  on  the  nod(*.  If  tlu' 
remote  pec'r  wants  to  send  a  inessagt^  to  the  main  pe<'r  the  remote  peer  asks 
the  Platfoi'inMaiiager  via  the  PlatfoTinPivxy  whieh  services  arc  running  on  tlu' 
node  of  th('  main  peer.  During  this  recpiest.  the  main  pi'c'r  serializes  his  local 
node  and  the  remote  pe(T  reeeivt'S  a  proxy  to  the  node  of  the  main  peer.  With 
this  proxy  the  remote  peer  is  able  to  access  tlu'  remote  peer’s  node.  hYoin  now 
on,  the  two  agent  eontaiiK'rs  hav^e  the  ability  to  connnnnicate  wdth  eaeh  otlu'r. 
For  an  example  of  the  JADE  messaging  prcjcess  see  figure  5. 

5  Secure  Multi-Agent  System 

Ba.sed  on  the  general  oyerview  in  the  previous  S(‘ction,  w('  now  pr(\S('nt  onr  imple¬ 
mentation  of  a  secure  nu^ssaging  mechanism.  For  an  architectural  overview  of  onr 
implementation  see  figure  4.  The  first  step  was  to  ('innlatc'  the  RMl  behavitn*  on 
top  of  SePP  using  different  nu'ssage  classes.  A  message'  class  is  a  generalization  of 
a  method  call.  The  knowledge  about  which  method  should  be  ealkxl  and  how  it  is 
parameterized  is  encapsnled  within  the  eoiicrete  ine.ssage  classes.  We  recpiire  two 
message  classes  per  method.  First,  a  request  message  class,  wdiose  payload  is  the 
parameters  of  the  method.  Sec'ond  a  response  message  class,  which  contains  tlu' 
return  value  of  the  corn'sponding  mod  hod.  We  chose  this  dc'sign,  because  it  allows 
convenient  message  dispatching  and  because  this  architecture  is  ('xtendible. 


278  S.  Kraxbcrger,  P.  Danner,  and  D.  Elein 


5.1  Implementation 

The  SccureP2PlMTP Manager  is  the  general  entity  that  advertises  the  agent 
platform  and  it  provides  the  remote  peers  with  access  to  the  main  peer.  The 
functionality  of  the  S  ecure  P2P  I MTP  Manager  is  comparable  to  the  RMI  registry 
as  mentioned  alxne,  with  the  difference  that  we  don’t  have  a  special  storage 
facility,  where  the  remote  methods  are  registered.  The  main  peer  listens  for 
incoming  requests  from  the  remote  peers. 

Every  communication  between  the  two  peers  is  done  via  the  PlatforrnProxy.  As 
an  example  we  observ^e  the  behavior  of  the  addNode  method  which  is  called  when 
a  new  agent  container  is  added.  When  called  from  a  PlatfoiinProxy  the  addNode 
method  creates  the  appropriate^  request  to  the  remote  Platform  Manager.  This 
recjiiest  is  sent  to  the  main  peer.  On  the  main  peer  the  message  is  dispatched  to 
the  local  PlatformManagcr  where  the  request  is  processed  and  a  new  container 
is  created.  The  return  vahie  of  the  method  is  sent  back  to  the  remote  peer.  If  the 
PlatforrnProxy  is  a  proxy  for  a  local  object,  the  same  recpiest  is  created.  Instead 
of  sending  it  over  the  network,  it  is  dispatched  locally.  JADE  also  facilitates 
a  different  transmission  concept  which  enables  sending  from  a  Node  Proxy  to  a 
LocalNode.  This  mechanism  is  almost  identical  except  for  the  j)roxy  generation 
process. 

The  class  SecureP2PPecr  is  the  interface  to  the  SePP  network  through  the 
SePP  franiewvork  API.  This  API  allows  classes  which  impleinent  the  Component 
interface  to  register  themselves  to  received  messages  with  <x  specified  message 
type.  If  a  message  is  received  in  the  SeeureP2PPeer.^  the  reccivedMcssage  method 
is  called.  Inside  this  method,  the  received  byte  stream  is  un-marshalled  and  a 
JADEMcssagc  is  created.  This  JADEMessage  is  then  passed  to  the  registered 
Component. 

Due  to  the  limited  space  available,  we  had  to  omit  many  details  of  oiir 
implementation. 

5.2  A  Message  Sending  Sequence 

This  section  combines  the  concepts  discussed  so  far  and  illustrates  a  sample  com¬ 
munication  sequence  of  the  JADE  platform.  We  chose  he  method  accept  for  an 
illustration  example  of  a  message  sending  sequence.  Accept  is  used  by  the  agents 
for  communicating  within  the  middleware.  We  presume  that  the  Platform  Proxy 
was  already  created  and  the  tw^o  nodes  are  ready  to  send. 

The  sequence  diagram  <lepict(Hl  in  figure  5  illustrates  the  whole  messaging  pro¬ 
cess,  starting  from  creating  the  NodeProxy  until  the  return  of  the  method  accept. 
Ill  the  first  step  the  NodeProxy  is  created  after  serializing  the  SecureP2PNode 
from  higlu'r  layers  of  the  .lADE  middleware  using  a  mechanism  called  trans¬ 
parent  proxy  generation.  Afterwards  the  accept  call  on  the  SecureP2PNode  is 
delegated  to  its  Proxy.  This  proxy  creates  a  request  message  and  .sends  it  via 
the  SecureP2PPeer  class.  On  the  remote  container  the  message  is  received  and  a 
new  w^orker  thread  is  created.  This  new  worker  thread  forwards  the  message  to 
its  corresponding  JadeCornponenf  in  this  Cctse  \vc  have  a  LocalNode.  The  next 


S(‘cure  Mnlti-Agoiit  Systoni  for  Multi-Hop  Eiiviroiimoiits  21\) 

stop  is  to  iiivoko  (lio  method  related  to  the  message  and  forward  the  return  vahu’ 
via  the  SeruroP2PPeer.  Bac'k  on  the  iiiain  peer  the  message'  is  disi)atehed  and 
the  original  emphaceept  call  returns. 

6  Security  Analysis 

Th('  main  contribution  of  our  work  is  to  first  enable  multi-agent  systems  to  work 
in  multi-hop  environments  and  sexoiid  to  i)rovide  means  to  do  that  in  a  secure 
inamier.  Vo  establish  the  exact  hoiuidaries  of  our  security  analysis  we  first  dedim' 
our  assumptions  on  the  environment. 

1.  Each  pi'cr  or  user  that  is  a  ])art  of  the  innhi-hoi)  enabh'd  coniiunnication 
sul)systein  must  be  authenticated.  This  means,  each  user  joining  the  systc'in 
must  provide  a  prove  of  it's  idcaitity  depc'iiding  on  the  security  rtxpiiix'nients 
of  the  overall  system.  This  can  involve  eitlu'r  soiiK'thing  th<‘  user  knows  or 
soiiK'thing  th<'  ii.sx'r  h<us. 

2.  A  multi-hop  enabU'd  MAS  must  ])r(jvid(‘  means  to  coimiiuuicate  ('veii  in  the 
absf'iice  of  direct  connections  between  the  diffc'n'iit  parts  of  the  MAS.  Thus, 
it  must  be  possible  for  agents  to  coinmimicatc'  with  ('acli  other  in  a  hojvby- 
hop  manner  in  addition  to  direct  coniiunnication.  This  fact  r<'(|uires  seenn' 
routing  algorithms  which  guarantee  that  only  legit imabxl  and  trusted  hops 
are  used  to  forward  data.  Otherwi.se,  malicious  pc'ers  can  disrupt  communi¬ 
cations  or  .separate  parts  of  the  MAS  at  their  will. 

,'b  The  data  communication  of  the  MAS  must  b('  protected.  Dc'pciiding  on  th<' 
sysb'iii  sec  urity  nxjnirc'iiK'iits  this  can  include  protection  from  faI)rication, 
modification,  interruption  and  intercc^ptioii.  This  translate’s  to  data  authen¬ 
tication  and  data  confidentiality  in  addition  to  re])ly  protex tion. 

b  Participating  usc'rs  are  coiisidc’rcxl  trustworthy.  Thus,  only  attacks  from  cw- 
teriial  entitic's  are  considc’rc’d  (outsider  attacks).  In  addition,  it  should  Ix' 
possible  to  identify  attacks  from  inalicions  iiisidc’rs  if  the  sc’cnrity  recpiirc'- 
ments  for  snc*h  an  identification  arc*  met. 

To  ( ouclude  the  list  of  a.ssuinptions  it  has  tc^  be  rc'iiiarked  that  it  is  always 
im})ortant  to  scale  the  .security  ineclianisins  ac'cording  to  the  potential  damage’. 
Eve'ry  user  should  use  the  best  available  sexairity  mexasnre's  given  his  re\sonrc('s. 

6.1  Analysis  of  the  SePP-Jade  Solution 

The’ join  proe-c’ss  in  Se'PP  is  sc’cnre'd  and  providc’s  aulhe'utie  ation.  This  guaiautc’es 
that  only  legit  iinate’d  pc’ers  e*au  join  and  participate  in  the  enerlay  network.  After 
pe’ea*s  have  joined  the  SePP  lu'twork,  differe'iit  se’cnre  rout  ing  algorithms  can  be' 
use'd  to  gnarautee'  the  integrity  of  the  network.  Tlu'se  routing  protocols  allow 
for  a  .se'ciire  e'.stablishme'iit  and  maiiitenance  of  e'lid-to-e'ud  i)aths  in  the  overlay 
network.  Depending  on  the  overall  sc'cnrity  reepiireinents  and  selecte'd  .security 
le'vel,  SePP  ])rovide's  iiu'ans  for  data  auth('utie*atiou  and  confidentiality.  Se'PP 
use's  well  known  cryptographic  algorithms  and  protocols  to  e'lisure  the  security 


280 


S.  KraxbiTger,  P.  Danner,  and  D.  Hein 


of  the  data.  Reply  protection  is  also  integrated  into  SePP  through  its  messaging 
system. 

The  security  levels  and  SePP  are  designed  in  such  a  manner  that  for  low 
everybody  ean  participate  and  no  cryptographic  protection  is  applied.  Thus,  no 
guarantees  on  the  seeiirity  of  the  system  ean  be  given. 

In  security  level  medium  shared  secret  keys  are  used  for  node  authentication. 
Therefore,  the  secure  routing  protocol  which  enforces  authentication  ba.sed  on 
these  .secret  keys  provides  protection  from  outsider  attacks.  In  this  security  level 
insider  attacks  are  still  possible. 

In  security  level  high  digital  signatures  are  used  to  secure  the  established 
routes.  Thus,  also  insider  attacks  from  non-collaborating  peers  can  be  prevented. 
Non-eollaboration  means  that  the  peer  does  not  control  any  other  peer  on  a  path 
from  the  source  to  the  destination.  If  peers  collaborate  they  can  always  perform 
a  wormhole  attack  by  tuiimding  the  route  reepu'st  from  one  peer  to  the  other  and 
effectively  shorten  the  route  length.  This  attack  only  works  if  the  controlled  path 
is  also  the  fastest.  Otherwise  the  request  would  arrive  to  late  to  be  selected  from 
the  destination  as  new  route  to  the  source.  For  instance,  peer  D  is  the  source  and 
peer  C  is  the  peer  who  meets  the  destination  information  requirements.  Now  if 
peer  B  and  peer  J  of  figure  3  collaborate  and  tlu'  tunneled  request  would  arrive 
earlier  than  the  other  one  traveling  over  A  and  E,  this  atta(^k  still  succeeds.  Such 
attacks  can  currently  only  be  iiiitigiited  if  location  information  and  synchronized 
clocks  are  used  [12, 18]. 

7  Performance  Evaluation 

To  benchmark  onr  implementation  we  compared  it  with  JADE’s  out-of-the-box 
RMI  implementation.  We  used  the  Party  Agent  application  from  the  .JADE  ex¬ 
amples.  Within  this  application  we  created  500  Party  Guest  agents  which  send 
sev('ral  messages  to  each  other  in  order  to  pass  on  some  gossip.  We  measured  the 
time  from  the  start  of  the  application  until  all  messages  are  sent,  and  the  l)arty 
has  officially  ended.  During  this  time  about  7000  messages  have  been  sent  and 
receivetl  from  the  agents.  The  party  host  agent  is  rt'sponsible  for  about  99%  of 
the  messages. 

The  tests  have  been  performed  on  HP  personal  computers  with  Intel  Core 
2  Duo  E8600  processors  with  3.33  GHz  and  4  GB  RAM  and  Windows  7  as 
operating  system.  The  SePP  framework  implementation  has  been  executed  on 
Java  JDK  6  Update  17  runtime  environments.  During  the  test  no  virus  program 
or  firewall  was  active. 

The  values  in  table  1  have  been  obtained  from  different  runs  of  the  PartyAgent 
api)lication.  These  values  show  how  long  one  specific  run  of  the  application  took. 
In  the  first  column  the  values  from  the  vanilla  JADE  version  using  RMI  without 
any  .security  feature  are  presented.  The  next  two  cohunns  show  the  amount  of 
time  it  took  for  the  same  application  to  finish  using  SePP  with  security  level 
medium  as  eoinmnmeation  layer.  The  first  oiu'  has  been  obtained  for  the  ease 
that  the  two  peers  have  a  direct  connection.  The  second  one  depicts  the  case 


Secure  Miilti-Ageiit  System  for  Multi-lloj)  Fjiviromiients 


281 


Table  1.  Processing  time  of  the  different  security  levels  at  the  particij)ating  pcH'is 


RMI  [s] 

SePP  (direct)  [s] 

SoPP  (1  hop)  [s] 

1 

4,40 

15,40 

10,20 

2 

3,70 

14,80 

10.90 

3 

3,40 

14.30 

15,90 

4 

3.00 

10.10 

15.80 

5 

3.50 

14.00 

15.40 

(i 

3.90 

14.00 

10,10 

7 

3,40 

13,40 

15.40 

8 

3.70 

15.00 

15,80 

f) 

3.30 

10.00 

15.30 

10 

3,40 

14.30 

16.00 

Mean 

3,t)3 

14.75 

15,88 

that  tlioro  is  one  interiiiediate  liop  l)etwcen  the  main  peer  and  the  remote  pc'cr. 
TIk'  run  time  of  tlie  JADE  version  using  SePP  is  about  four  to  five  times  slower 
than  the  IIMI  v(u*sion.  Tliis  fact  ('an  be  attributed  to  increased  processing  time 
for  cryptography  and  the  P2P  management  and  communication  ovcTlieacb  Th(‘ 
usual  round  trip  time  in  SePP  without  transmission  latency  is  about  5()0//s. 
Tluis,  sending  and  r('ceiving  TOOO  iiu'ssagi's  alone  would  accotmt  for  3,5  s(H*onds, 
whicli  already  is  tlie  mean  run  time'  of  the  RMl  version, 

8  Related  Work 

Multi-agent  systems  liave  bf'cn  used  in  disaster  respemse  scenarios  previously. 
For  instaiK'e  disastcu'  rc'sponse  [4],  [5]  have  shown  that  MAS  can  be  quite  helpful 
under  such  circumstances.  But  tlmse  approaches  haveuPt  addressed  security  or 
multi-hop  communication  requirements  in  anyway.  Phey  where  only  coiK'eriKvl 
with  showing  the  feature's  MAS  can  provide  in  disaster  response. 

The  JADE  developers  itsf'lf  have  proposi'd  a  serurity  extension  for  its  franu'- 
work  [19],  Anyhow,  this  security  framework  is  only  intended  as  add-on  for  JADE 
and  therefore  doe'siPt  address  all  rcHiinremeuts  for  security  in  such  challeiiging 
environnK'iits,  Also  their  extension  only  provided  interface's  for  JAAS  (.Java  Au¬ 
thentication  and  Authorization  Service)  and  they  didiPt  implement  any  security 
itsedf  or  give  instrnedie^ns  on  how  to  use  it.  There  e'xist  also  some  other  works 
which  have'  aeldre^sse'd  security  in  JADE.  But  they  are  all  theore'tical  and  only 
outline  the  re'etuirememts  and  discuss  the  necessary  security  features  formally. 
One'  such  e'ffort  is  [20]. 

Some  other  works  have  also  addresse'd  se'curity  of  multi-agent  systems.  But 
almost  all  have  only  been  of  theoretical  nature'.  They  have  (3utline'd  the  reejuire'- 
iiK'uts  in  terms  of  security  and  shown  what  attacks  and  threats  are*  possible  with 
in  the  domain  of  MAS.  The  nio.st  prominent  sueJi  work  is  [6]. 


282 


S.  Kraxberger,  P.  Danner,  and  D.  Hein 


9  Conclusion 

Ill  conclusion,  the  proposed  multi- agent  system  with  SePP  <as  underlying 
comniuni(‘ation  iiifrjistructure  enables  the  use  of  agent  technology  in  multi-hop 
environments  in  a  secure  way.  We  provided  simple  means  of  integrating  and  en¬ 
hancing  existing  MAS  with  .secure  communication  mechaiiisins  without  the  need 
for  redesign  or  re-impleinentation  of  the  MAS  itself.  We  introduced  an  RMI- 
style  interaction  layer  which  mediates  between  the  MAS  on  top  of  a  scx'iire  P2P 
framework.  The  security  maiiag<Miient  is  separated  from  the  MAS  application 
and  can  be  adjusted  aexording  to  tlu'  needs  of  the  partieijiating  entities.  With 
our  solution  it  is  possible  to  eomiily  with  various  security  requirements  in  a  fine 
grained  nianner  since  it  is  possible  to  select  security  levels  from  a  glol)al  to  a 
group  scale.  The  introduced  security  guarantees  increased  robustne.ss  and  the 
added  multi-hop  functionalities  justify  the  marginal  negative  impact  on  eoin- 
munication  performance  compared  to  JADE's  RMI  solution.  Furthermore,  we 
believe  that  our  solution  has  the  potential  to  increase  the  effieienc}-  of  emergeney 
response  operations  for  scenarios  where  an  existing  network  infnistrueture  has 
been  destroyed  or  disrupted  and  the  different  parties  had  to  rely  on  projirietary 
or  fall-back  communication  facilities. 

References 

1.  van  Dyke.  Pariinak,  II.,  Bnieckiior,  S.,  Sauter,  J.:  Digital  plieroiiioiio  mechanisms 
for  coordination  of  unmanned  vehicles.  In:  A  AM  AS  2002:  Proceeding.s  of  the  First 
International  Joint  Conferenee  on  Autonomous  Agent.s  and  Miiltiagent  Systems, 
pp.  449  450.  ACM,  New  York  (2002) 

2.  Maturana,  F.P.,  Staron,  R.J.,  Hall,  K.H.:  Methodologies  and  tools  for  intelligent 
agents  in  distributed  control.  lEElC  Intelligent  Systems  20(1),  42  49  (2005) 

3.  Picard,  G..  Demon.  C.,  Gleizes,  M.P.:  Etto:  Emergent  timetabling  by  coopera¬ 
tive  self-organization.  In:  Bruerkiier,  S.A.,  Di  Marzo  Serugendo,  G.,  Hales,  D., 
Zambonelli,  F.  (eds.)  ESOA  2005.  LNCS  (LNAI),  vol.  .3910,  pp.  ,31  45.  Springer, 
Heidelberg  (200G) 

4.  George,  J.P.,  Gleizes,  M.P.,  Glize,  P.,  Regis,  C.:  Real-time  simulation  for  flood 
forecast:  an  adaptive  multi-agent  system  staff.  In:  AISB  2003:  Proceedings  of  the 
3rd  Syinposiiiin  on  Adaptive  Agents  and  Multi-Agent  Systems,  pp.  7  1 1  (2003) 

5.  Sclmrr,  N.,  Marecki.  J.,  Tambe,  M.,  Seerri,  P.:  The  future  of  disaster  response:  Hu¬ 
mans  working  with  rnultiagent  teams  using  defacto.  In:  AAAI  Spring  Symposium 
on  A1  Technologies  for  Homeland  Security  (2005) 

6.  Jansen.  W.A.:  Counter  measures  for  mobile  agent  security.  Computer  Connnniiica- 
tions  23(17),  1007  1676  (2000) 

7.  Wallach,  D.S.:  A  survey  of  peer-to-pt'er  security  issues.  In:  International  Sympo¬ 
sium  on  Software  Seeurity,  pp.  42  57  (2002) 

8.  Cainpadello,  S.:  Peer-to-peer  security  in  mobile  devices:  A  user  pcrsp(x*tive.  In: 
P2P  2004:  Proceedings  of  the  Fourth  International  Conference  on  Peer-to-Peer 
Computing,  pp.  252  257.  IEEE  Computer  Society,  Lo.s  Alarnitos  (2004) 

9.  Mondal.  A.,  Kitsiiregawa,  M.:  Privacy,  security  and  trust  in  p2p  environments: 
A  pers[)ectivc.  In:  Bres.san,  S.,  Kiing,  J.,  Wagner,  R.  (eds.)  DEXA  2006.  LNCS, 
vol.  4080,  pp.  682-686.  Springer,  Heidelberg  (2006) 


Secure  Muhi- Agent  System  for  Multi-Hop  Hnvironnients 


28:5 


10.  Lniidberg,  .1.:  Routing  security  in  ad  hoc  networks.  1'eciinical  Report  501,  Helsinki 
University  of  Technology  (2000) 

11.  Douceur,  ,J.R.:  The  sybil  attack.  In:  Driischel,  P.,  Kaashoek,  M.F.,  Rowstron.  A. 
(eds.)  IPTPS  2002.  LNCS,  vol.  2  129.  j)p.  251  200.  Springer.  Heidelberg  (2002) 

12.  II n.  Y.C.,  Perrig,  A..  Johnson,  D.B.:  Packet  leashes:  a  defense  against  wormhole 
attacks  in  wireless  networks.  In:  INFOCOM  200:5.  Twenty-Second  Animal  Joint 
Conference  of  the  IEEE  Coniputer  and  (k)inmiinicat  ions  Societies,  vol.  :5,  pp.  1970 
1980.  IEEE,  Los  Alainitos  (200:5) 

i:5.  Eschenaiier,  L.,  Gligor,  V.D.:  A  key-nuinageinent  scheme  for  distributed  sensor 
networks.  In:  CCS  2002:  Proce(*dings  of  the  9th  ACM  Conferenc(‘  on  Computer 
and  Conimniiical ions  Security,  pp.  41  17.  ACM,  New  York  (2002) 

14.  Abeier,  K..  Datta,  A.,  I lan.swirtli,  M  :  A  decentralized  public  key  infrastructure 
for  customer- to-cnstonier  e-coiiinierce.  International  Journal  of  Busine.ss  Process 
Integration  and  Management  1(1),  20  ,4:5  (2005) 

15.  Lesneiir,  F.,  Me.  L.,  Tong.  V.:  An  eflicient  distributed  PKI  for  structured  P2P 
networks.  In:  P2P  2009.  IEEE  Ninth  Inlernational  Conference  on  P(M’r-to-Peci 
Conipntiiig,  September  2009,  pj).  1  10  (2009) 

10.  C’hole/.,  T.,  Chrisment.  1.,  Festor,  O.:  A  distributed  and  adaptive  revocation  niech- 
anisin  for  p2p  network.s.  In:  K^N  2008:  Proceedings  of  the  Seventh  International 
Confen'iice  on  Networking,  pj).  290  295.  IEEE  Computer  Society,  Los  Alainitos 
(2008) 

17.  Kraxberger.  S.,  Payer,  U.:  Security  conc(*pt  for  peer-to-peer  systems.  In:  1\V(4MC 
2009:  Pnxeedings  of  the  2009  International  CYnfer<*nce  on  Wireless  Communica¬ 
tions  and  Mobile  Computing,  pp.  9.31  9, 30.  AC’M,  New  York  (2009) 

18.  Poovendran,  R.,  Lazos,  L.:  A  graph  theoretic  framework  for  preventing  the  worm- 
hole  attiuk  in  wireless  ad  hoc  networks.  Wirel.  Netw.  L3(I).  27  59  (2007) 

19.  JADE  Board:  .lade  security  add-on  guide.  Technical  report,  TILAB  S.p.A  (2005) 

20.  V3Ia.  X.,  Schuster.  A.,  Riera.  A.:  Security  for  a  mnlti-agent  system  boused  on  jade. 
Comjinters  and  Security  20(5),  391  100  (2007) 


In  the  Track  of  the  Agent  Protection:  A  Solution 
Based  on  Cryptographic  Hardware 


Antonio  Munoz,  Antonio  Mana,  and  Pablo  Anton 


Coinpntor  Science  Department 
University  of  Malaga,  Spain 
{amunoz , amg , panton}Qlcc . uma . es 


Abstract.  The  agent-based  computing  represents  a  promising  paradigm 
for  emerging  ubiquitous  computing  and  ambient  intelligence  scenarios 
due  to  the  nature  of  the  mobile  agents  that  fit  perfectly  in  these  en¬ 
vironments.  However,  the  lack  of  the  appropriate  security  mechanisms 
is  hind<Ting  the  application  of  this  paradigm  in  real  world  applications. 
The  protection  of  malicious  hosts  is  the  most  difficult  security  problem 
to  solve  in  mobile  agent  systems.  In  this  paper  we  describe  our  solution, 
which  is  a  mechanism  to  solve  this  problem.  Our  work  is  based  in  a  new 
agent  migration  protocol  biised  on  the  use  of  tamper  resistant  crypto¬ 
graphic  hardware.  Concretely,  wo  base  our  work  on  the  use  of  the  Trusted 
Computing  technology.  The  result  of  our  w'ork  is  a  library  built  on  JADE 
that  implements  the  secure  migration  for  agents  named  Secure  Migra¬ 
tion  Library  for  Agents  (SecMiLiA).  This  library  provides  a  friendly  u.se 
of  the  Trusted  Computing  technology  for  agent  based  system  developers. 

Keywords:  TF^M,  cryptographic  hardware,  agent  protection. 


1  Introduction 

While  mobile  agent  paradigm  expresses  many  advantages  over  the  traditional 
network  computing  models  |4|,  the  code  mobility  of  the  mobile  agents  brings 
some  severe  security  problems.  Current  research  efforts  in  the  security  of  mo¬ 
bile  agent  field  adopt  tw’o  different  points  of  view.  Firstly,  from  the  platform 
perspective,  we  need  to  protect  the  host  from  malicious  mobile  agents  such  as 
viruses  and  Trojan  horses  that  are  visiting  it  and  wasting  resources.  Secondly, 
from  the  mobile  agent  point  of  view,  we  need  to  protect  the  agent  from  ma¬ 
licious  hosts.  Both  points  of  view  have  attracted  much  research  effort.  In  [7] 
authors  show  that  scientific  eominunity  put  many  efforts  in  this  field,  indeed 
many  applications  exist  based  on  this  technology  However  all  these  efforts  loose 
their  values  due  to  they  are  not  based  on  a  secure  robust  basis  to  build  applica¬ 
tions.  This  fact  encouraged  us  to  afford  the  task  of  the  malicious  hosts.  For  this 
purpose  we  make  use  of  a  tamper  resistant  cryptographic  hardware.  Because  of 
the  recent  a[)proaehes  in  the  Trusted  Computing  technology  and  their  (Jieaper 
price  w'e  choose  this  teelmology  to  implcineiit  our  protocol.  However,  the  secure 
migration  protocol  can  be  implemented  on  any  tamper  resistant  cryptographic 


I.  Kotenko  and  V.  Skoriniii  (Eds.):  MMM-ACNS  2010,  LNCS  6258,  pp.  284-207,  2010. 
©  Springer- Verlag  Berlin  Heidelberg  2010 


Ill  the  Track  of  tlu'  Agent  Protection 


28r> 


liMiclwanN  such  as  the  siiiartraixls.  In  |7]  two  iiieeliaiiisiiis  art'  prest^iited  to  pro¬ 
vide  secairity  for  the  agent  based  systoiiis.  Firstly,  a  software  hascxl  solution  built 
on  the  protected  eoinpnting  approach  |6|  is  iiitroductxl.  Secondly,  a  (‘oui|)l('te 
description  of  a  hardware  based  approach  is  explained.  This  ap|)roacli  is  the 
basis  of  the  work  presciitetl  in  this  paper.  This  papta*  is  organized  as  follows. 
Section  2  deals  with  the  State  of  the  Art.  Section  8  gives  a  perspective  of  the 
role  of  the  Trusteed  Coinputiiig  in  the  agent  protection.  S('ctioii  4  presents  the 
SecMibiA.  Section  5  desc'ribes  some  issues  found  in  the  d(^*ign  and  d(‘velopineiit 
of  the  library.  Section  (i  gives  an  overview  of  tlu'  main  services*  providcxl  by  the 
library.  Section  7  int  rodiures  some  supporting  technology.  Finally  .s(H‘tion  8  giv(‘s 
.some  coiichiding  remarks. 


2  State  of  the  Art 

Some  niechanisms  an'  oriented  to  the  protection  of  the  ho.st  against  malicious 
ag(‘nts.  Among  these.  SandBoxing  [9],  proof-carrying  code  |8|,  and  a  variant 
of  this  tcM'hniqiie.  called  proof-referencing  code  |2).  One  of  the  most  important 
[iroblenis  of  tlu’se  techiiicpies  is  the  difficulty  of  identifying  which  operations  (or 
sequences  of  them)  can  be  pc'rniitterl  without  comproniising  the  loc  al  s(*(‘urity 
jKilicy.  Other  mechanisms  are  oriented  towards  protecting  agents  against  mali¬ 
cious  scTV(*rs.  Among  them  tlu'  concept  of  sanctuaries  |12|  was  |)ropos(‘d.  Scwcual 
teclmicpu's  can  be  applic^d  to  an  agent  in  order  to  verify  scdf-iiitc'grity  and  avoid 
that  the  code  or  the  data  of  the  agc'iit  is  inadvert (‘iitly  maiiipulated.  Anti-tamper 
tc'chnicpu's,  such  as  encryption,  clux'ksumming.  anti-debugging,  aiiti-eninlation 
and  some  othcTs  share’  the  same  goal,  but  they  are  also  orient cxl  towards 

th('  prevention  of  the  analysis  of  the  function  that  the  agent  implements.  Ad¬ 
ditionally,  .some  protc'ction  schemes  are  bjiscd  on  se  lf-modifying  c'odc,  and  codc^ 
obfuscation  |3|.  The  tcclniicpie  known  Jis  (‘o-operating  agcait  [10,51  consists 
on  the  distribution  of  critical  tjisks  of  a  single  mobile  agent  bc’tween  two  co- 
ojXTating  age^nts.  Kac  h  of  thc’se  agents  execaites  th(’  ta.sks  in  one  of  two  disjoint 
s(4s  of  i)latforms.  Finally  tlu’rc’  arc  technique's  that  create'  a  two-way  protection. 
Some  of  tlicTse  are  based  on  the  protected  coinputiiig  approach  17].  Most  of  thetse 
apiu'oaclies  are  software^  ba.se'd  solutions.  However,  it  is  important  to  consider  the 
fae*t  that  the'  de'gre’c  of  e'onfidence'  in  softwarevonly  se'curity  .solutions  depends  on 
.sevenal  factors  sometime's  inie-ontrejilable’,  such  as  their  c'orrect  installation  and 
exe'cution.  This  can  be  affected  by  all  othen*  software  that  lurs  be'en  exccute'd 
e)n  the'  .same  platfeirm.  For  this  re'a.son,  experts  conclude  that  trust  eel  harelware 
is  iK’e'eled  as  the  basis  fe")!*  se'enirity  se)hitions.  We  aime'el  that  e>ur  se)lutie:)n  take's 
aelvantage  e)f  the  rcce'nt  aelvance's  in  the  trustexl  ce^nupiiting  techiieile^gy. 

Agent  migratk)!!  ceinsists  on  a  inee:hanisin  t  o  cont  iiine  t  he  executieni  e)f  an  agent 
em  aiieither  locatiem.  Idiis  pre)e'e\ss  inclnek's  the  transpeirt  e)f  agent  code,  e'xeciition 
state  and  elata  of  the  ageuit.  The  migration  in  an  agent  base'd  system  is  initiaU'el 
on  behalf  e>f  the  agent  and  not  by  tlu?  syste'in.  Th('  iiiain  niotivatieiii  for  this 
migration  is  to  move  the  computation  to  a  elata  server  or  a  ce)nnnnnicatie)n  part- 
lU'r  in  order  to  rcehice  network  load  by  acce'ssing  a  elata  server  a  communication 


286 


A.  Munoz,  A.  Mafia,  and  P.  Anton 


j)artner  by  local  coiniiiuiiication.  Then  migration  is  done  from  a  source  agency 
wliere  agent  is  riinniiig  to  a  destination  agency.  Migration  can  be  performed  by 
two  different  ways.  Moving  is  the  process  in  which  the  agent  is  renio\^ed  from 
the  source  agency  when  is  copied  in  the  destination  agency.  Cloning  consists  on 
the  agent  is  copied  to  the  destination  agency.  Henceforth,  the  two  copies  of  the 
agent  coexist  executing  in  different  places.  In  the  remainder  of  this  paper  and 
at  least  stated  explicitly  we  will  use  the  term  migration  to  refer  to  both  cloning 
and  moving  of  agents.  Onr  approach  is  addressed  on  achieve  a  secure  migration 
j)rocess.  For  this  reason  we  j)ropose  a  hardware-based  mechanism  to  provide  se¬ 
curity  to  agent  systems.  The  TPM  provides  mechanisms,  such  as  cryptographic 
algorithms,  secure  key  storage  and  remote  attestation  that  i)rovides  important 
tools  to  achieve  a  high  level  of  security. 


3  The  Trusted  Computing  Technology  in  the  Agent 
Protection 

Previously  we  aimed  that  is  essential  the  integration  of  new  trusted  security 
mechanisms  in  the  agent  software  field  to  achieve  a  reasonable  security  level.  For 
this  reason  we  propose  a  projjosal  based  on  the  appeals  of  the  tamper  resistant 
cryptograpliic  hardware.  This  kind  of  technology  provides  some  mechanisms, 
such  as  cryptographic  algorithms,  secure  key  storage  and  remote  attestation 
that  are  essential  to  achieve  a  high  level  of  security.  The  main  appeal  of  the 
SecMiLiA  is  that  agent  software  developers  are  liberated  of  security  engineering 
related  tasks,  due  to  the  uiidcniying  security  of  our  approach. 

However  our  main  objective  is  to  provide  a  high  level  of  security  for  agent 
execution  avoiding  possible  attacks  of  the  hosts.  Then,  we  propose  the  use  of 
the  trusted  computing  technology;  indeed  we  use  the  Trusted  Platform  Mod¬ 
ule  (TPM).  Mainly,  due  to  TPM  is  compliant  with  the  security  requirements 
mentioned  above  and  this  technology  has  other  features  like  the  standardisation 
and  the  growing  integration  of  this  technology  in  the  market.  Additionally,  the 
supporting  provided  by  many  important  companies  leaders  in  the  IT  security 
sector  is  a  considerable  apjjeal  of  this  technology.  TPM  is  the  cornerstone  of 
our  aj)proach  due  to  the  security  of  onr  system  is  relies  on  it,  this  is  following 
explained.  We  identified  two  main  j)illars  of  agent  i)rotection.  Firstly  we  have 
to  protect  the  execution  element.  The  protection  of  this  element  is  provided  by 
the  root  of  trust  provided  of  the  TPM.  It  is  based  on  controlling  that  only  a 
restricted  set  of  operations  can  be  executed.  Secondly  we  have  to  protect  the  mi¬ 
gration  procedure,  for  this  purpose,  we  use  the  remote  attestation  functionality 
provided  by  the  TPM.  In  order  to  facilitate  the  use  of  this  mechanism  we  devel¬ 
oped  a  full  library  based  on  the  most  used  agent  platform  JADE. (Java  Agent 
DEvelopment  Framework),  which  is  a  software  Framework  fully  implemented  in 
Java  language.  It  simplifies  the  implementation  of  multi-agent  systems  through 
a  middle- ware  that  complies  with  the  FIPA  specifications  |14)  and  through  a  set 
of  graphical  tools  that  sujiiiorts  the  debugging  and  deployment  phas(\s. 


In  the  Ti’ack  of  the  Agent  Protection 


287 


Tli('  basic  idea  behind  the  coiicc'pt  of  Trusted  Coiiipiitiiig  is  the  creation  of  a 
cliain  of  trust  Ix'tween  all  oleinents  in  the  computing  system,  starting  from  the 
most  basic  ones.  Consequently,  platform  boot  processes  are  modified  to  allow 
th('  TPM  to  measure  each  of  the'  components  in  the  system  and  securely  store  the 
rc'sults  of  the  measnnunents  in  Platform  Configuration  Registers  (PCR)  within 
the  TPM.  This  inechaiiism  is  used  to  extend  the  root  of  trust  to  th('  difrorent 
('h'liKnits  ill  tlu'  computing  platform.  Therefore,  tlu'  chain  of  trust  starts  with 
the  mentioned  above  TPM.  which  analyses  whothtn*  the  BIOS  of  the  computer 
is  trnst<Hl  and,  in  that  CJise.  passes  control  to  it.  This  jiroci'ss  is  repeated  for  the 
masten*  boot  record,  th('  OS  loader.  th('  OS,  the  hardware  devices  and  finally  tlu' 
applications.  In  a  Trusted  Computing  scenario  a  trusted  application  runs  exchi- 
.siv('ly  on  toj)  of  trusted  and  pre-approved  sniiportiiig  software  and  hardware. 
Additionally  the  TC  technology  provides  mechanisins  for  the  measurement  (ob¬ 
taining  a  cryj:)tographk‘  hash)  of  the  configuration  of  nmiote  platforms.  If  this 
configuration  is  alten'd  or  modified,  a  new  hash  value  must  be  generated  and 
sent  to  t  h('  rc'quester  in  a  certificate.  These  cert  ificat  es  att('st  the  cm  rent  state  of 
th(‘  remote  platform.  We  hav('  .s(H'n  that  sevcTal  huh  hanisms  for  secure  (‘xcMuit  ion 
of  agents  have  Ikhui  i)ropos(M  in  th('  literature'  with  the'  objective  of  securing 
th(‘  execution  of  agents.  Most  of  these  mechanisins  are  designed  to  provide  some 
type  of  protee  tion  or  some  sjx'cific  security  ])r()p(Tty.  Despite'  they  only  provide' 
partial  se)hitie)ns  to  the  agent  systems  .security. 

We'  intre)due‘e'  the  e'a.se  that  an  agent  exe'Ciiting  in  an  agency  (.se)nree  ageiuy) 
plans  to  migrate  te)  a  different  agency  (destiiiatie)n  agency).  Both  agencie's  take 
me'asure's  e)f  .some  .system  ])araniete'rs.  whie'h  dete'rmiiie  the  se'Ciirity.  feir  instaiUT 
BIOS,  kc'ys  nmdules  fre)in  ()j)erating  Syste'in,  active  ])re)ce^sse's  and  .servievs  in  the 
sy.stcin.  Through  tlu'se  parame'ters  an  estiinatiein  of  the'  .se'cure'  state  eT  the'  age'iie'v 
can  be  elenie.  Value's  taken  are'  se'eairely  storeel  in  the'  truste'd  eievie  e.  in  sneh  a  way 
that  cainieit  be  either  ae‘ce\ss  or  nu)difie'd  unauthorizeel.  Ageiiew  has  the'  ability  te) 
repe)rt  ex)iifigiiration  values  ])re'vie)u.sly  ste)re'el  te)  either  ageneae's  in  sneh  a  way  that 
the'se  can  elete'rniine  its  se'cnrity.  Before  the  migratieni  the'  age'iit  reejue'sts  te)  the' 
se)ure‘e'  agency  te)  eleterinine  the'  trustwe)rthy  on  ele'stinatieni  agency.  By  nu'ans  e)f 
this  process  an  agent  in  a  se'cnre  agency  can  extend  the'  limit  e)f  its  cemfielene-e  te) 
either  age'ncy  e)nce  the  se'eairity  eif  ele'stination  age'iicy  is  te'steel. 


4  Our  Final  Result:  The  Secure  Migration  Library 
(SecMiLiA) 

in  this  se'e‘tie)n  we  intreieluce  the  Seeure  Migration  Library  (SecMiLiA).  This 
library  preivides  the  se'cure  migration  functionality.  In  oreler  to  give  a  frie'iielly 
u.se  e)f  the  security  inechanisni  provided.  We  aimeel  that  Se'e-MiLiA  is  base'el  ein  the* 
JADE  platform.  The  main  reasons  for  that  fact  are'  folleiwiiig  elescribe'd.  Firstly, 
be'cau.se  e)f  the  wiek'spre'ad  u.se  of  the'  .lADE  platform  in  the  agent  community; 
anel  secondly  be'causo  of  the  interplatforin  migration  me'chanism  prewielenl  by 
JADE.  The  figure'  1  elepicts  a  bloe'k  diagram  that  slieiws  heiw  the  SecMiLiA  is 
built  on  JADE. 


288 


A.  Munoz,  A.  Mana,  and  F^.  Anton 


Secure  Migration  Library  for  Agents 


JADE 


TPM4Java 


Java  Platform 


Fig.  1.  block  diagram 

4.1  The  Set  of  Minimum  Requirements  of  Our  Library 

The  most  relevant  objective  in  tlu'  design  of  this  library  is  the  provision  of  a 
secure  eiiviroiiineiit  in  which  agents  can  be  securely  executed  and  migrated.  It  is 
relevant  the  easy  integration  in  JADE,  that  is,  no  modifications  in  JADE  might 
b(‘  done,  hut  as  secondary  aspecd  .  Similarly  to  the  provision  of  a  friendly  use  for 
agent  software  developers,  who  are  not  security  expert.  And  the'  provision  of  a 
library  that  complains  with  the  existing  security  solutions. 

As  a  final  result  we  obtained  a  library  that  provides  security  to  software  agents 
on  JADE.  Wc  achieve  this  security  level  by  means  of  a  incchaiiism  that  allows 
the  secure  migration.  This  secure  mcchanisin  is  based  on  the  testing  the  trust 
of  destination  agency  before  the  migration  process  actually  is  performed  that 
we  explain  in  the  next  section.  This  guarantees  that  agent  execution  is  always 
pcTformed  in  a  secure  eiiviroiinieiit.  This  gives  a  solution  to  the  problem  of  the 
malicious  hosts.  Thus,  agent  reaclu's  a  secure  environment  where  its  execution 
goes  on,  in  such  a  way  that  agents  cannot  modify  the  host  agency. 

We  identified  some  minimum  recpiirements  in  the  design  process  of  the 
library.  These  recpiiremeiits  were  grouped  in  two  different  sets,  functional  and 
non-functional  requirements.  On  the  one  hand,  (concerning  the  functional  re¬ 
quirements,  the  library  must  provide'  a  mechaiiisin  for  secure  agent  migration  in 
JADE  platform,  in  such  a  way  that  the  agent  can  ('xteiid  its  trustworthy  lim¬ 
its  by  means  of  adding  secure  agencies,  both  from  its  platform  and  from  remote 
platforms.  It  is  important  to  mention  the  fact  that,  ('ach  agency  must  provide  lo¬ 
cal  functionality,  which  is  allowing  an  agent  to  migrate  to  a  destination  platform. 
Similarly,  each  agc'iu'y  must  provide  the  functionality  to  allow  to  other  agencic'S 
take  integrity  measure's  to  determine  if  its  configuration  is  secure.  The  library 
must  implement  the  protocol  to  allow  configuration  relatexl  information  to  in¬ 
terchange  from  an  agency  to  a  different  one.  This  is  re'epiired  to  he'  iinplemente'd 
in  such  a  way  that  both  agencies  are  truste'd  from  the  origin  of  this  informa¬ 
tion.  Last  but  not  least  concerning  functional  re'e^uirements  the  library  iiiiist  use 
truste'd  hardware.  In  this  case  we  used  a  TPM  to  stored  securely  agencies  data 
integrity  and  re'porting  data  to  the  agencies,  which  reque'ste'd.  On  the  either  hand, 
related  with  the  non-functional  requirements,  we  believe  that  the  library  might 
he  integrate'd  in  the  JADE  platform,  in  such  a  way  that  the  library  use  eJoes  not 
imply  modifications  in  the  JADE  configuration.  As  well  as,  the  operation  of  the 
library  must  be  transparent  to  the  user.  Library  must  ease  the  adaptation  to 
existent  solntioiLs  to  ii.se  security  mechanisms  provide'd  in  such  a  way  that  the 
nuinbe'r  e^f  modifications  is  rednexxl  at  maxiniuni.  A  generic  security  iiie'ehanism 


In  Iho  Track  of  tlic  Agent  Protection 


289 


is  provided  to  be  easily  adapted  to  concrete  solutions.  And  it  is  iinportaiit  tliat 
the  library  allows  the  possibility  to  be  easily  extended  with  future  iinprovenients 
and  new  functionalities. 


4.2  Secure  Migration  Protocol 

Following  we  include  an  overview  of  the  protocol  that  is  the  basis  of  our  library. 
This  protocol  is  the  basis  to  provide  the  security  to  the  migration.  We  analyze 
the  different  attestation  protocols  as  well  as  the  secure  migration  protocol.  Then 
we  study  tlu'ir  benefits  to  de.sign  the  secure'  migration  protocol,  hi  |7|  authors 
described  a  draft  of  this  protoeol,  which  provides  some'  key  ide'as  to  take  into 
account  during  the  design  process  of  the  final  protocol.  Let  us  assume  that  the 
agent  is  executing  in  a  sevure  platform.  Thus,  the  agent  trusts  in  this  platform 
to  che(‘k  the  migratioii  security.  Additionally,  it  is  interesting  to  mention  the 
necessity  of  the  use  of  the  TPM  to  obtain  and  report  configuration  data.  More 
relevant  ideas  provided  are  that  a  protocol  shows  how  an  agent  from  the  agency 
re(piests  to  TPM  the  sigiu'd  values  from  PCRs.  Besides,  the  protocol  shows  how 
the  agent  obtains  plat  form  (Tcdentials,  these  creth'iitials  together  with  PCHs 
signed  values  allow  to  determine  whether  th('  destination  configuration  is  .secure. 

Finally  we  analyse  in  depth  tlu'  protocol  .More  relevant  ideas  from  this  pro¬ 
tocol  are;  the  use  of  an  attestation  identity  key  (AIK)  to  sign  the  PCR  values; 
the  use  of  a  certification  authority  (CA)  that  validates  the  attestation  identity 
key  (AIK):  hikI  the  use  of  configurations  to  (compare  received  results  from  re¬ 
mote  agency.  We  designed  a  new  protocol  basc'd  on  the  study  of  the  trusted 
computing  technology.  Onr  protoc'ol  has  some'  characteristics,  for  instance;  the 
agency  provides  to  the  agent  the  capa(‘ity  to  migrate  by  a  secure  way:  and  the 
agency  uses  a  tni.sted  platform  module  that  provides  configuration  values  storc'd 
in  PCRs.  The  trusted  platform  module'  signs  PCRs  values  using  a  specific  attc's- 
tation  identity  key  for  the  destination  agency;  in  such  a  way  that  data  rc'cc'iver 
knows  .securely  the  TPM  identity,  which  is  signc'd.  A  Certification  Authority  gen- 
('ratc's  the  needc'd  credentials  to  vc'rify  the  AIK  identity.  Together  with  signed 
PCRs  values  the  agency  providc's  attestation  identity  key  credentials  i)roducing 
th('  signature.  This  signature  is  used  to  verify  that  the  data  are  exactly  from  the 
source  TPM.  A  further  descrii:)tioii  of  this  protoc'ol  is  included  in  [15]. 


4.3  Verification  of  Secure  Migration  Protocol  with  AVISPA 

The  secure  migration  protocol  de.scribed  above  is  the  basis  of  this  research.  Tims, 
we  want  to  build  a  robust  solution,  for  this  purpose  the  next  step  is  validation 
of  this  protocol.  Among  diffc'reiit  alternatives  we  selc'cted  a  model  (’lu'cking  tool 
ralFd  AVISPA. 

AVISPA  is  an  aiitomatk*  push-button  formal  validation  tool  for  Internet  se¬ 
curity  protoc'ols,  developed  in  a  projc'ct  sponsored  l}y  the  Europc'aii  Union.  It 
('iicompassc's  all  .security  protocols  in  the  first  five  OSl  layers  for  more  than 


290 


A.  Munoz,  A.  Mafia,  and  P.  Anton 


twenty  security  services  and  mechanisms.  Furthermore  this  tool  covers  (that  is 
verifiable  by  it)  more  than  85  of  IETF  security  specifications.  AVISPA  library 
available  on-line  has  in  it  verified  with  code  about  hniidred  problems  derived 
from  more  than  two  dozen  security  protocols.  AVISPA  uses  a  High  Level  Pro¬ 
tocol  Specification  Language  (HLPSL)  to  fet'd  a  protocol  in  it;  HLPSL  is  an 
extremely  expressive  and  intuitive  language  to  model  a  protocol  for  AVISPA. 
The  operational  semantic  is  based  on  the  work  of  Lamport  on  Temporal  logic  of 
Actions.  Comniunicatioii  using  HLPSL  is  always  synchronous.  Once  a  protocol 
is  fed  in  AVISPA  and  modelled  in  HLPSL,  it  is  translated  into  Intermediate 
Format  (IF).  IF  is  an  intermediate  step  where  re-write  rules  are  applied  in  order 
to  further  process  a  given  protocol  by  back-end  analyzer  tools.  A  protocol,  writ¬ 
ten  in  IF,  is  executed  over  a  finite  number  of  iterations,  or  entirely  if  no  loop  is 
involved.  Eventually,  either  an  attack  is  found,  or  the  protocol  is  considered  safe 
over  the  giv('n  number  of  sessions. 

System  bcdiaviour  in  HLPSL  is  modelled  as  a  ‘‘state”.  Each  state  has  variables 
which  are  responsible  for  the  state  transitions;  that  is,  when  variables  change, 
a  state  takes  a  new  form.  The  communicating  entities  are  called  “roles”  which 
own  variables.  These  variables  can  be  local  or  global.  Apart  from  initiator  and 
receiver,  environment  and  session  of  protocol  execution  are  also  roles  in  HLPSL. 
Roles  can  be  basic  or  composed  depending  on  if  they  are  constituent  of  one 
agent  or  more.  Each  honest  participant  or  principal  has  one  role.  It  can  be  par¬ 
allel,  sequential  or  composite.  All  communication  between  roles  and  the  intruder 
are  syiichronoiis.  Communication  channels  are  also  represented  by  the  variables 
carrying  different  properties  of  a  particular  environment.  The  language  used  in 
AVISPA  is  very  expressive  allowing  great  flexibility  to  express  fine  details.  This 
makes  it  a  bit  more  complex  than  Hermes  to  convert  a  protocol  into  HLPSL. 
Further,  defining  implenieiitation  environment  of  the  protocol  and  user-defined 
intrusion  model  may  increase  the  (complexity.  Results  in  AVISPA  arc'  detaik^l 
and  explicitly  given  with  reachable  number  of  states.  Therefore  regarding  r(\sult 
interpretation,  AVISPA  requires  no  expertise  or  skills  in  mathematics  contrary 
to  other  tools  like  HERMES|13)  where  a  great  deal  of  experience  is  at  least 
necessary  to  get  meaningful  conclusions. 

Of  the  four  available  AVISPA  Back-Ends  we  chose  the  OFMC  Model,  which  is 
the  unique  that  uses  fresh  values  to  generate  nonce’s.  However,  this  alternative 
requires  a  limit  value  for  the  search.  The  results  of  our  research  are  the  following: 

SUMMARY  SAFE 

STATISTICS 

parseTlme:  O.OOs 
searchTime:  564.34s 
visitedNodes :  18  nodes 
depth:  2000  plies 
environment () 


These  results  show  that  the  summary  of  the  protocol  validation  is  safe.  Also 
some  statistics  are  shown  among  them  depth  line  indicates  2000  plies,  but  this 
process  has  been  performed  for  200,  250,  300,  400,  500  and  1000  of  depth  values 


In  t  he  Track  of  tlie  Agent  Proto(‘tioii 


291 


with  similar  results.  A  further  description  of  this  validation  is  out  of  the  scope 
of  this  paper. 


5  Design  and  Deployment  of  the  Library 

In  the  dt'velopinent  process  wen'  found  some  issiie.s,  sncli  as  a  .TADE  systt'in  is 
composed  for  a  platform  that  keeps  a  main  container  in  which  agents  are  de¬ 
ployed.  Additional  containers  can  he  added  to  this  platform,  some  of  them  can  be 
nnnote  containers,  and  different  platform  can  interacts  among  them,  allowing  the 
migration  of  the  agents  l)etween  the  agencies.  Henceforth,  we  consider  the  sanu* 
platform  and  agency.  Taking  into  account  the  JADE  structure,  we  conclude  that 
two  different  kinds  of  migration  exists,  migration  among  containers  from  differ¬ 
ent  platforms  and  migration  from  eontainers  in  the  same  platform.  In  the  case 
that  the  migration  is  from  containers  from  different  platforms,  the  agent  migrates 
from  a  container  from  soiirc'e  agency  to  the  destination  agency  main  container. 
In  such  a  case  that  destination  agency  is  not  a  JADE  biiilt-oii  platform  the  ar* 
chiteeture  can  be*  different,  depending  on  the  platform.  In  the  other  case,  the 
agent  migrates  from  a  container  to  another  one  but  in  the  same  platform.  Both 
migration  processes  imply  some  sec  urity  concerns.  The*  platform  migration  is  not 
sc^(nire  because  the  main  container  from  the  source  platform  can  be  imtrustecl. 
the  migration  between  containers  has  the  same  problem,  it  is,  if  destination  c*on- 
taiiier  is  not  trusted:  and  the  migration  is  not  secure.  Secure  migration  lil)rary 
solves  both  risen  problems.  In  this  section  we  analyse  the  deployment  and  the 
design  of  SecMiLiA.  Firstly,  w('  study  the  architecture  of  the  library;  secondly 
we  show  the  components  and  their  related  functionalities.  Tin*  main  use'  case  is 
a  user  that  uses  SecMiLiA  to  develop  a  secure  agent  based  system.  We  consider 
a  relevant  aspexJ  to  consider  that  tlu'  user  is  not  a  s('curity  expert.  lYaditionally 
in  these  kinds  of  systems,  the  user  defines  the  set  of  agents  that  eonij)oinid  tlu* 
system.  Concretely  JADE  defines  an  agent  by  means  of  a  chiss  that  inherits 
from  Agent  cla.ss,  using  this  n(‘W  class  the  agent  creatc'd  is  provided  of  the  basic 
behaviour  of  an  agent.  Therefore  the  user  defines  the  specific  behaviour  of  this 
agent.  Aiiiong  the  most  relevant  functionalities  of  a  JADE  agent  we  highlight 
the  compatibility  with  inter-containers  migration.  Concerning  the  main  migra¬ 
tion  methods  we  highlight,  doMove  (Locationl)  moves  the  agent  from  a  source 
container  to  a  destination  one.  The  method  named  doClone( Locationl,  String 
newName)  clones  the  agent  in  container  1  using  newNanie  as  the  name.  Two  main 
services  are  provided  by  SecMiLiA.  The  Agent  Mobility  service  performs  a  secure 
inter-platform  migration  in  the  same  platform,  and  the  SecurelnterPlatformMo- 
bility  servic'e,  which  uses  the  InterPlatforniMobility  service  to  perform  the  secure 
intra-platform  migration.  We  mentioned  above  that  JADE  Agent  class  provides 
two  “noil-secure'’  migration  methods,  for  this  reason  we  have  created  a  new  class 
that  inlic'rits  from  this  class  and  redefines  migration  methods  to  perform  a  s('- 
eure  process.  This  allows  a  complete  integration  in  the  JADE  platform,  as  well 
as  provides  a  friendly  use  for  agent  software  developers,  who  only  need  instance 
the  SecurcAgeiit  class  and  invoke  the  seeureMigration  method. 


292 


A.  Miifioz,  A.  Mana,  and  P.  Anton 


Agent 


♦doMoveC  Location  I ) 

•►cloCk)ne(  Location  I,  String  newNamc ) 
- - - 


Secure  Agent 


fsecureMigrationrineout 


•^cioMove(  Location  I ) 

■KloClone(  Location  I,  String  newName ) 
+cioMoveOld(  Location  I ) 

■KtoCJoneOW(  Location  L  String  newName ) 
♦gdSecur^AgrationTlmeoul() 
•KloMoveError(  String  errMsg,  int  errCocte ) 
‘KtoCloneError(  Siring  errMsg,  int  errCode ) 


Fig.  2.  Seen  re  Agent  Class 


6  Main  Functionalities  of  SecMiLiA 

This  section  describes  the  main  services  provided  by  the  SecMiLiA  as  well  as 
the  more  relevant  classes  and  methods  of  this  library. 

6.1  SecureAgentMobility  Service 

The  SeenreAgentMohility  service  provides  the  secure  migration  functionality  be¬ 
tween  different  containers  in  the  same  platform.  Concretely,  the  ‘dielper”  ela.ss 
provides  two  important  methods:  (i)  “secnrcMove’’  that  allows  secure  agents 
moving  securely  to  destination  container  and  (ii)  “secnreCloiie ’  that  provides  a 
secure  way  to  cloning  agents  in  destination  containers.  The  following  algorithm 
presents  the  ease  where  an  agent  request  for  a  service  to  move  to  a  container  (e2). 
Ill  this  case  the  stops  are:  This  protocol  considers  the  service  like  a  unique  entity. 
However,  several  (‘omponents  belonging  to  that  service  are  avoided  in  order  to 
clarify.  Other  important  issue  is  that  the  service  invokes  ''doMoveOld"  method  to 
start  the  migration,  which  fnnetionality  is  similar  to  “doMove"'  from  Agent  class, 
moving  agent  to  de.stiiiatioii.  Previously  to  the  migration,  the  service  cheeks 
that  destination  is  secure.  This  fact  allows  a  similar  behaviour  of  the  “doMovc"’ 
method  from  “SoeureAgeiit”  and  the  “doMove”  method  from  the  ''Agent"  class. 
The  content  of  these  messages  is  encapsulated  nsing:'*Attest Request _ Interface", 
and  the  "Attest Data_Int.crfacc”  interfaces.  The  "AttestR,equest_Iiiterfaee"  pro¬ 
vides  access  to  data  from  a  request  attestation  message,  and  the  “AttestData 


Algorithm  1.  The  agent  SA  is  moved  to  the  container  C2 

1:  SA  agput  requ(»sts  for  Si  service  to  move  to  C2 
2:  Service  seiid.s  a  remote  attestation  request  to  S2  service. 

3;  S2  service  accepts  the  r<‘q\iost 

4:  SI  service  sends  requested  information  to  S2. 

5:  S2  service  responses  to  SI  sending  the  attestation  result. 

6:  SI  service  starts  agent  migration  to  C2  container. 


In  the  Track  of  tho  Ag('nt  Protection 


29:\ 


j)rovi(los  a(‘(‘oss  to  tho  attestation  infonnatioii  from  a  coiic  roto  con¬ 
tainer.  Both  interfaces  eiirai>sulate  information  from  attestation  protocol  mes¬ 
sages.  To  continue  the  attestation  proc^ednre  the  sour(‘e  container  comj)letes  tlie 
ncMHled  (lata  using  the  ''siT’  iiK'thod.  The  “seciireAgentMohihty’'  service  uses  the 
‘‘AttestTool_lmpl(nnent”  chiss  to  complete  data  messag(*s. 

The  “AttestTool  Implement”  class  managers  attestation  protocol  nu'ssage^s. 
that  is,  the  generation  of  the  iiK'ssages  in  the  sourcos  and  the  verifi(*ation  in  tlu' 
destination.  “AttestTool_Iniplement”  ( la.ss  is  providc^d  by  acet^ss  to  system  TPM, 
for  that  purpose  the  “1  PM_lnterfa(‘(^‘’  and  the  ‘  CA  Iiitca  faco”  interfa(‘e  are  ac- 
cos.sed.  This  fact  allows  using  both  entity  functionalities  to  complete  message's. 
‘‘At t('stToc)l_lnii)l('m(mt”  class  allows  to  accc'ss  to  systc'in  conhgnration  trough 
th(*  “Attc'stConfig_ Interface'”  interface.  “At testdbol  Imphnnent"  class  managc's 
TPM  accc'ss  in  siicT  a  way  that  attestation  i)rotocol  can  b('  jx'i fornu'd.  The 
“Att('stTool_lmpl(*mcmt”  class  In’liaviour  is  similar  to  Kc'y  Cache  Manager  for 
(h'aliiig  with  the  Tl^M  keys.  The  “Att('stTool_lmplement”  class  implenients“At- 
t('stTool_ Interface”  interface  where  sc'cure  migration  procc'ss  state's  code's  are 
elc'fiiK'd.  These  error  eodc'S  allow  to  agents  to  determine  the'  re'sults  wIk'ii  clo- 
Move'Error  and  doCloiieError  methods  are  called. 

In  order  to  genc'rate  and  verify  the  attestation  message's  coiitc'iits  is  ne'e'de'd 
the  use  e)f  a  TPM  and  a  coi  tifieation  authority  (CA).  More  relevant  loasons 
for  this  are  that  (i)  the'  TPM  provide'S  the  functionalitie's  to  gemc'rate  atte's- 
tation  data:  (ii)  the  ne'ede'd  functionalitie's  to  generate  the'  attestation  idemtity 
kc'ys  (AIK);  (iii)  the  fnnetions  to  produce  the  data  signature:  (iv)  and  the  fune- 
tions  to  allow  the  ge'iieratioii  of  randoin  nonce'  value's.  We  have'  to  considc'r  that 
the  (Vrtification  Authority  (CA)  provide's  the'  credentials  geiU'ration.  Firstly, 
the  "TPM^Iiitc'rface”  interface'  ])rovicie's  accc'ss  to  TPM  functionalities.  Ame:mg 
them  we  found,  the'  initialization  of  the  iiiterfaev  with  TPM  module:  the  ge'ii- 
c'ration,  dropping  and  activ^ation  of  an  atte'statioii  identity  kc'y  rc'epic'st  from 
“re'(|I)ata *.  The  e ertifie'ation  authority  rc'ceivc'd  the  ’  reejData"  to  provide  the  cer¬ 
tificate's.  As  well  as,  the  functions  to  attc'st  the  (‘onfigurat ion,  etc.  Se'condly,  the 
“(’A  Interface'”  interface  provich'S  the  fiinetionality  to  deal  with  the  Certification 
Authority.  This  intc'rface  contains  some  fiinc'tions  that  provide  the  c'c'rtification 
authority  label  value,  the  identihe'ation  and  the  public  kc'v.  as  well  as  the  fiiiie'- 
tions  to  generate  the  credentials  for  the  attestation  identity  key.  Thirdly,  the 
‘‘Att('stConlig_Interfacer  j)rc)vidc's  aerc'ss  to  j)latform  configuration  values,  as 
wc'll  as  own  platform  value's.  Thi.s  interfac'e  i)rovide'S  the  PCRs  indexc'S  to  the 
remote  containc'rs.  TPM  owner  jKissword,  storage  of  ke'vs,  etc. 

A  relevant  aspect  using  the  attestation  identity  key  (AIK)  in  the  protocol  is 
the  production  of  the  signature'.  The  TPM  geiierate's  the  AIK  and  thi.s  must  be 
certific'd  by  a  valid  certification  authority.  Following  we  describe  how  the  kew  is 
geneiate'd  and  ce'rtified. 

“AttestTool  Impleme'iit”  is  re'epu'Ste'd  for  genc'rate  an  attc'station  identity  kc'y 
key  and  a  cTedentials  request  to  TPM.  Tlien,  TPM  is  used  to  generate  the  atte\s- 
tation  identity  key  {is  well  as  the  reqiie'st  and  these  are  de'hvere'd  to  Attc'stTool. 
Hecjuest  is  encrypt c'd  in  sucli  <i  wiiy  tlnit  only  the  certification  authority  is  able  to 


294 


A.  Munoz,  A.  Mafia,  and  P.  Anton 


road.  The  "AttestTool_ Implement”  sends  a  certification  authority  reciuost.  Next 
the  Certification  Authority  (CA)  is  used  to  decrypt  the  reejuest  and  generates  the 
credentials  which  are  delivered  to  “AttestTool_Implcnient’'  in  such  a  way  that 
only  TPM  can  decrypt.  The ‘'AttestTool_Implem('nt”  s(mds  the  Certification  Au¬ 
thority  (CA)  responses  to  TPM.  And  TPM  fuiietionalities  are  used  to  decrypt 
the  requested  data  and  sends  the  key  data  to  the  “AttestTool^Irnplement”. 

Sevc^ral  iiitc'rfaces  intcnact  in  this  process;  (i)  Thc'‘AIKRe(in(‘stI)ata_Iiiterface” 
contains  the  lu^eded  data  to  allow  the  TPM  to  generate  the  attestation  iden¬ 
tity  keys  (AIK),  as  well  as,  to  create  the  credentials  gcnc'ration  reqnc'st.  (ii)  The 
“AIK Request Data_Interfacc’'  contains  the  needed  data  to  allow  the  certification 
authority  (CA)  to  generate  the  credentials  for  the  attestation  identity  keys  (AIK). 
(iii)An(l  the  “AIKResponse  Interface”  that  contains  the  data  to  allow  the  TPM 
to  obtain  the  credentials  generatc'd  by  the  ccTtification  authority. 

At  this  point  we  briefly  described  some  relevant  classes.  “AIKReciuestData 
_Interfacc”  provides  “getIdentityLabel()”  method,  this  returns  the  attestation 
identity  key  label.  The  “AIKRe(|iiest_Interface”  providers  accc\ss  to  the  identity 
label,  data  to  the  certification  authority  to  certify  the  attestation  identity  key, 
AIK  public  kc*y  from  TPM,  key  wrappers,  etc.  “AIKResponse_ Interface”  inter¬ 
face  providers  the  functionalities  to  manage  the  attestation  identity  key,  which  is 
to  get  the  key  handler  in  TPM,  the  attc'station  identity  public  kc'y,  attestation 
idcuitity  key  credentials,  key  wrappers,  etc. 

Once  the  attestation  identity  key  rc^aches  the  destination  the  service  genc'rates 
the  configuration  attestation  data,  then  the  signature  is  produced  with  thc^se 
data.  Unally,  we  describe  other  important  elements  in  this  solution,  we  aim  to 
the  credentials.  Some  ciassc's  are  dedicated  to  deal  with  the  credentials.  The 
certification  authority  generates  the  attestation  identity  key  credentials  defined 
by  “AIKCrc'dentials_Interfac  e”  interface. 

6-2  SecurelnterPlatforniMobility  Service 

The  SeeurelnterPlatforiiiMobility  service  uses  most  of  used  elements  in  the 
SecureAgentMobility  service.  However,  in  this  case  we  deal  with  migration 


Algorithm  2.  Secure  migration  protocol 

1:  SA  agent  requests  SI  service  to  move  to  C''2  container. 

2l  SI  service  stuids  a  rtunot.c  attestation  request  to  Si  M  service  from  main  container  of  its  platform. 

3:  SlM  service  sends  a  request  for  remote  attestation  to  source  platform  AMS,  Al. 

4:  Al  sends  a  request  for  atte.station  to  destination  platform  AMS,  A.2. 

5:  A2  accepts  the  request  and  notifies  to  Al. 

Gr  Al  iiotifie.s  SIM  service  ac cept-ation. 

7‘.  SlM  service  notifies  SI  .service  ac<*eptation. 

8. '  SI  service  sends  request  data  to  SlM  service. 

9. ‘  SlM  service  .sends  data  to  Al  request. 

10:  Al  sends  request  data  to  A2. 

11:  A2  responses  to  Al  sendind  the  attestation  result. 

12:  Al  s*ends  re.sult  to  SIM  service. 

13:  SIM  service  .sends  received  result  to  SI  service. 

14:  SI  service  starts  agent  migration  to  destination  platform  main  container. 


In  the  lYack  of  the  Agrnt  Protortion 


295 


l)('lw(vii  (liffcreiit  platforms,  that  is,  the  service'  messages  between  the  source 
container  and  the  (lestination  eontaiiier  are  not  allowed.  This  implies  that  both 
containers  must  belong  to  the  same  platform.  This  fact  restricts  the  cominiiniea- 
tion  by  using  ‘Agent  Coimminication  Language*  ACL  nu'ssages.  The  secure  mi¬ 
gration  j)rotocol  f(M*  See  iirelnterPlatforinMobility  s('r\’ice  is  following  described. 

The  source  container  service  needs  the  intera(‘tion  of  the  main  ('ontaiiu'r  ser\  ic(' 
to  interact  with  the  destination  platform  AMS,  in  such  a  way  that  the  only  way 
to  access  to  agent  management  system  (AMS)  class  inij)l('niented  from  tlu'  main 
container.  Thecommniiication  bc'tween  the  source  platform  AMS  and  the  destina¬ 
tion  platform  agent  management  system  (AMS)  is  done  by  agent  communication 
language'  (ACL)  messages.  Destination  AMS  uses  “Attest Tool^Imph'nu'iit*'  cla.ss 
to  deal  with  s('rvdc('  messages.  The  rest  of  service  ojx'ralion  comj)onent  is  similar 
to  the  Se'ciireAgent Mobility  afore  detailed. 

7  Application  of  Secure  Agents  to  Clouds  Coniputing 

The  term  ‘'cloiuF’  is  ns('d  as  a  metaphor  for  the  hit  ('met.  based  on  the  cloud 
drawing  used  in  th('  past  to  reju(‘.sent  the  telephone  network  and  later  to  dejiict 
tb('  IiiteriK't  in  com|)nter  network  diagrams  as  an  abstraction  of  the  imd('rlying 
infrastructure  it  rejin'si'iits.  Typical  cloud  computing  jiroviders  (h'liver  common 
biisiiu'.ss  ap])licati(^ns  online  which  are  acc('ssed  from  another  web  service  or  soft¬ 
ware'  lik(*  a  web  browser,  wbih*  the  software  and  data  are  ston'd  on  .servers.  Most 
(loiui  coni])nting  infrcistrncture  consists  of  reliable  s(u*\u(es  delivc'n'd  through 
data  centers  and  built  on  sc'i  vers.  Clouds  oflmi  appear  i\s  singh'  points  of  acce.ss 
for  all  consumers'  compiitiiig  needs. 

In  geiK'ral,  cloud  coinjiiitiiig  (uistoiners  do  not  (wn  th('  jihysical  infr^istnu- 
ture.  inst('ad  avoiding  capital  exj)en(iiture  by  renting  usage  from  a  third-party 
provider.  They  coiisiniK'  resources  as  a  service  and  pay  only  for  resoinws  that 
tlic'y  ns(\  Many  clond-coinj)uting  offerings  employ  tlu'  utility  computing  moch'l. 
whi('h  is  analogous  to  how  traditional  utility  .services  (such  as  electricity)  ar(' 
consiniK'd.  whc'H'as  others  bill  on  a  subscrijition  brisis.  Sharing  “])erishabl('  and 
iiitangibh'"  computing  powia*  among  imiltiple  tenants  can  ini])rove  utilization 
rate's,  as  servers  an'  not  nnii('C('ssarily  left  idle  (which  can  n'diice  costs  signifi¬ 
cantly  while  incn'asing  the  spe('d  of  ai)j)li(‘ation  develo{)ment).  A  sidc'-elfect  of 
this  aj)])roach  is  tliat  overall  (onij)Uter  usage  ris(vs  dramatically,  as  ciistonuus 
do  not  have  to  engiiuH'r  for  jx'ak  load  limits.  lu  addition,  “iucrea.sed  high-sp(X*d 
bandwidth"  makes  it  po.ssible  t.o  receive  the  same  respoii.sc'  times  from  (‘('iitral- 
iz(‘d  infrastructure  at  otlu'r  site.  Obviously  the  most  relevant  issue  to  fac('  is  the 
lack  of  the'  approj)riate  security  mecliaiiisms. 

However  wr  advocate  for  a  new  mode  of  ch^uds  (  oinj)utiug  in  wIi’k  Ii  not  only 
data  are  processed  by  the  clouds,  instead  of  it  user  (‘ode 's  could  be  ex('ciit('d 
in  the  cloud.  Evidc'iitly,  the  security  is  the  cornerstone  for  the  successful  of  this 
approat'h.  We  envisage  a  parallelism  between  the  s(^ciirity  in  this  ik'w  vision  of 


296 


A.  Munoz,  A.  Mana,  and  P.  Anton 


clouds  computing  and  mobile  agent  systems,  there  an'  pieei's  of  software  that 
are  executed  in  different  environments.  Both  eiivironmeiits  present  similar  secu¬ 
rity  issues,  and  we  projicse  to  use  the  same  model  presented  in  this  i)aper  to 
clouds  computing. 

8  Conclusions  and  Future  Research 

In  this  paper  we  provide  a  general  solution  based  on  solving  the  problem  of  the 
‘‘malieions  hosts’'.  Our  apj^roach  is  based  on  the  ‘‘Trusted  Comi)uting  Module’’ 
security  capabilities.  Despite  onr  solution  is  a  friendly  library,  but  this  is  built 
on  a  robust  secure  basis  as  we  explained  in  this  paper.  Possible  future  lines  of  re¬ 
search  are  the  improvement  of  the  keys  management  system  of  the  library.  Our 
library  uses  RSA  keys  for  attestation  protocol  that  must  be  loaded  in  TPM. 
However  the  size  for  key  storage  in  the  TPM  is  very  limited,  then  it  mu.st  be 
earefully  managed  to  av^oid  arisen  space  problems.  The  key  management  of  our 
library  might  be  improved,  that  is.  our  library  handles  the  keys  in  such  a  way 
that  only  one  key  is  loaded  in  TPM.  Therefore,  keys  are  loaded  when  will  ii.se 
and  downloaded  after  they  are  used.  This  procedure  is  not  very  efficient  due  to 
the  many  key  transaetions  done.  We  propose  the  use  a  mechanism  that  allows 
to  download  the  .same  key  that  we  will  use  in  next  step,  but  this  is  an  open 
field  for  future  ic.searching.  A  difl'erc'iit  approach  in  the  key  management  lies  on 
caching  these  keys.  Thus,  several  keys  ean  be  loaded  simultaneoiisly  in  the  TPM 
making  the  management  system  more  flexible  and  efficient.  However,  this  ai>- 
proach  i)resents  some  lacks.  For  instance,  some  kind  of  key  rejflaee  policy  might 
be  established  to  determine  which  key  is  removed  for  a  new  one  cache.  Never¬ 
theless,  this  tfisk  is  out  of  the  scope  of  this  paper  and  we  only  propo.sc'  as  future 
researches.  Another  future  line  is  to  extend  the  library  with  new  functionalit  ies 
to  secure  migration  services  to  provide  of  concurrency.  I'liat  is,  the'  secure  mi¬ 
gration  s('rvice  imi)lenient(Hl  in  the  library  provides  secure  migration  to  a  remote 
container,  but  they  handle  a  unique  request  at  the  same  time.  Therefore,  when 
the  migration  reque.st  arrives  while  migration  is  actually  performed  those  are 
refused.  This  fact  hapi)('ns  due  to  the  TPM  key  management  mentioned  above'. 
A  possible  extension  of  the  library  is  to  provide  of  a  se'cure  migration  service 
with  the  capability  to  handle  simultaneous  reeiuests.  Finally,  we  propose  the  ini- 
plemeiitation  of  the  SecMiLiA  in  a  difTerent  tamper  re.sistant  hardware  such  as 
the  smartcard  to  j)rovide  a  j)ioof  of  coiice])t  of  the  versatility  of  this  ap]:)roaeh. 


Acknowledgments 

Work  partially  support('d  by  F.U.  through  projects  SERENITY  (IST-027587) 
and  OKKAM  (1ST-  215032)  and  DESEOS  project  funded  by  the  Regional  Gov¬ 
ernment  of  Andalusia. 


In  the  Tfack  of  the  Agent  Protection 


297 


References 

1.  Trusted  roinputiug  group:  Teg  specifications  (2005), 
https : //www . trustedcomputinggroup . org/ specs/ 

2.  Carl,  A.G.,  Hoineier,  P.,  Nettles,  S.:  Infrastructure  for  proof-referencing  code.  In: 
Proceedings  Workshop  on  Foundations  of  Secure  Mobik'  Code  (1997) 

3.  Collberg,  C.S.,  Thomborson,  C.:  Watermarking,  tamper-proofing,  and  obfuscation 
-  tools  for  soft  ware  protection.  University  of  Auckland  Teclinical  Report  170  (2000) 

1.  Harrison.  C.,  Chess.  D.,  Kershenbauin,  A.:  Mobile  agents:  Are  they  a  good  idea?. 
IBM  Re'search  Report  (1995) 

5.  Karnik.  N.:  Security  in  Mobile'  Agents  systems.  PliD  the'sis,  Department  of  Com¬ 
puter  Science,  Ibiiversity  of  Minnesota  (1998) 

6.  Mana,  A.:  Proteccion  de  Software*  Basaela  en  Tarje'tas  Intelige'iites.  PhD  the.si.s, 
University  of  Malaga  (2003) 

7.  Mafia,  A.,  Munoz,  A.,  Serrano,  D.:  Towarels  secure  age'iit  computing  for  nbiejuitous 
computing  anel  ambient  intelligence.  In:  Iiieliilska,  J.,  Ma,  J..  Yang,  L.T.,  Unge'rer, 
r.,  Cae),  J.  (e'ds.)  UlC  2007.  LNCS,  vol.  4611,  pp.  1201  1212.  Springer,  Ile'ielelberg 
(2007) 

8.  Necnla.  G.:  Pre^eif-carrying  e  eiele*.  In:  Procee^dings  of  24th  Ainiiial  Syinpei.siimi  on 
Ih'inciples  of  Prograiiiiiiing  Languages  (1997) 

9.  Walibe,  R.,  Lncco,  S.,  Anderson,  T.E.,  Graham,  S.L.:  Efficie'iit  se)ftware-ba.seel  fault 
isedatieni.  In:  Proce*eelings  eT  the  I4tli  ACM  Syinposimn  on  Operating  Systems 
Principle's,  pp.  203  216  (1993) 

10.  Roth,  V.:  Mutual  proti'ction  of  cooperating  agents.  In:  Yitek,  .1.  (eri.)  Secure  In- 
terne't  Programniiiig.  LNCS,  vol.  1603.  Springer.  Heidelberg  (1999) 

11.  Stern,  J.,  Hachez,  G.,  Koeiine,  F.,  Qui.se|nater,  Reibust  objevt  wate'rniarking: 
Application  to  ce^le.  In:  Banerjee,  U.,  Gelernter,  D.,  Nicolaii.  A.,  Paelna,  D.A. 
(e'els.)  LCPC  1993.  LNCS,  vol.  768.  pp.  368  378.  S])ringer,  Heidelberg  (1994) 

12.  Yee,  S.B.:  A  sanctuary  for  mobile  agents.  In:  Scx'ure  Internet  Programniiiig  (1999) 

13.  Bozga.  L.,  Lakhiiech,  Y.,  Perin,  M.:  Heriiu's,  a  toeil  ve'rifying  secre'ey  proper! ie's  e)f 
unbounded  security  protoe:e)ls.  lir.  Hunt  .Jr.,  W.A.,  Soiiieiizi,  F.  (eds.)  CAV  2003. 
LNCS,  vol.  2725.  pp.  219  222.  Springer,  Ileielelberg  (2003) 

14.  Foundation  fen'  Intelligent  Physical  Agents:  FIPA  Abstract  Architecture  Spe'cifica- 
tion  (2002),  http://www.fipa.org/specs/fipa00001 

15.  Munoz.  A,,  Mafia,  A.,  Harjani,  R.,  Montene'gre),  M.:  Age'iit  Prote^ctieni  baseel  eni 
the*  use  eT  cryptographic  hardware.  In:  Proeeeelitigs  of  the  33rd  Annual  IEEE  lii- 
teTiiational  Coinpiite'r  Software  c\nd  Applications  Conference,  C'OMPSAC  2009  to 
be  held  in  Seattle, Washington,  July  20-JiiIy  24,  1EE]E,  Le).s  Alainitos  (2009) 


Security  and  Scalability  of  Remote  Entrusting  Protection 


Vasily  Desnitsky  and  Igor  Kotenko 


St.  Petersburg  Institute  for  Informatics  and  Automation  (SPIIRAS) 
39,  14  Linija,  St.  Petersburg,  Russia 
{desnitsky,  ivkote) @coinsec  .  spb .  ru 


Abstract.  The  paper  outlines  to  the  problem  of  correlation  between  security  and 
scalability  of  software  protection  against  tampering  based  on  the  remote  en¬ 
trusting  principles.  The  goal  of  the  paper  is  to  propose  a  technique  allowing 
choosing  the  most  effective  combination  of  different  protection  methods  to  ap¬ 
ply.  The  technique  is  aimed  at  finding  a  trade-off  between  performance  of  the 
protection  mechanism  and  its  security,  ensuring  both  a  necessary  security  level 
and  an  appropriate  scalability.  The  technique  encompasses  the  evaluation  of 
particular  protection  methods  belonging  to  the  whole  protection  mechanism  and 
getting  quantitative  metrics  of  their  performance  and  security  level. 

Keywords:  Remote  entrusting,  performance  analysis,  security  analysis,  combi¬ 
nation  of  protection  methods. 


1  Introduction 

One  of  the  most  important  requirements  to  software  protection  mechanisms  is  to  pro¬ 
vide  a  proper  performance  and  scalability  besides  its  security  (attack  resistance).  This 
requirement  is  really  necessary  to  implement  to  be  able  to  use  the  mechanism  in  prac¬ 
tice.  Currently,  software  protection  means,  based  on  the  client-server  architecture, 
assuming  that  the  server  has  to  ensure  correct  .service  for  a  great  number  of  clients 
working  simultaneously,  have  not  spread  widely  because  of  scalability  problem. 

The  mechanism  of  software  protection  based  on  the  remote  entru.sting,  proposed  in 
the  RE-TRUST  Project  [9],  is  aimed  at  discovering  the  unauthorized  modifications  of 
a  client  program  functioning  in  potentially  hostile  environment.  This  mechanism 
assumes  a  client  program,  to  be  protected,  is  executed  within  untrusted  client  envi¬ 
ronment,  and  a  trusted  entity  is  located  on  a  safe  host.  According  to  the  remote 
entrusting  scenario  [5],  the  protection  mechanism  uses  different  software  (SW)  and 
hardware  (HW)  based  protection  methods  (Tamper  Resistance  methods,  TR  methods) 
as  well  as  their  combinations.  Each  of  them  being  embedded  into  the  whole  protection 
mechanism  represents  some  specific  type  of  defense  of  a  target  application  against 
tampering.  The  majority  of  TR  methods  assumes  those  implementation  is  shared 
between  the  client  and  the  trusted  server  side.  For  instance,  as  one  of  TR  methods, 
check  sums  are  computed  on  clients  and  then  delivered  and  checked  on  the  server. 

According  to  the  remote  entrusting  principles,  the  important  aim  of  the  protection 
is  to  minimize  the  .server  computations  to  make  the  mechanism  more  .scalable.  Other¬ 
wise,  if  for  every  client  the  trusted  server  has  to  fulfill  a  lot  of  resource  consuming 


I.  Kotenko  and  V.  Skormin  (Eds.):  MMM-ACNS  2010,  LNCS  6258,  pp.  298-306,  2010. 
O  Springer- Verlag  Berlin  Heidelberg  2010 


Security  and  Scalability  of  Remote  Entrusting  F^roicction 


299 


computations,  the  support  of  a  great  number  of  clients  could  appear  to  be  problematic 
and  practically  infeasible.  Thus,  the  problems  of  performance  and  scalability  arise. 

This  work  is  positioned  at  the  conjunction  of  two  research  directions  -  security 
analysis  and  performance  analysis  of  software  protection  methods.  In  contrast,  the 
existing  works  address  and  estimate,  for  the  most  pan,  the  security  and  performance 
of  cryptographic  protection  methods,  which  better  do  for  formal  evaluation  techniques 
1 8,  13|,  or  these  properties  of  particular  security  protocols  or  tools  [4,  11]. 

The  paper  aims  for  reaching  the  trade-off  between  security  and  scalability  within 
the  problem  of  SW  protection  based  on  remote  entrusting  principles.  The  remote 
entrusting  mechanism  is  based  on  client-server  architecture  and  uses  a  bundle  of  pro¬ 
tection  methods,  which  essentially  differ  from  each  other  by  protection  principles 
and  are  characterized  by  diverse  security  and  resource  consuming  requirements. 
Therefore,  the  estimation  of  such  protection  methods  turns  out  to  be  a  problem  of 
specific  character,  which  should  have  an  acceptable  .solution.  For  instance,  a  great 
heterogeneity  and  disparateness  of  Software  Guards  [  I  ]  and  Barrier  Slicing  [6]  protec¬ 
tion  methods  stipulate  difficulty  of  producing  a  unified  approach  to  evaluate  their 
security  strength  and  performance.  Thus,  in  contrast  to  more  conventional  investiga¬ 
tions  (i.e.  analysis  of  security  level  and  performance  penalties  of  various  crypto 
ciphers,  hash  functions,  etc.),  the  evaluation  of  TR  methods  in  question  and  their 
combinations  appears  to  be  a  weakly  inve.stigated  task. 

The  paper  is  structured  as  follows.  Section  2  considers  shortly  TR  methods  and  re¬ 
mote  entrusting  principles.  Section  3  outlines  the  proposed  problem  definition  and 
analysis.  In  section  3,  we  fonnalizc  the  task  to  be  solved.  Section  4  contains  the  em¬ 
pirical  studies  focused  on  evaluating  the  performance  and  security  level.  Conclusion 
surveys  the  paper  results  and  future  research  directions. 

2  Tamper  Resistance  Methods  and  Remote  Entrusting  Principles 

In  the  paper  we  differentiate  two  notions:  a  prenection  mechanism  and  a  TR  or  protec¬ 
tion  method.  By  the  protection  mechanism  we  mean  the  protection  mechanism  against 
tampering  based  on  remote  entrusting  principles,  which  includes  a  combination  of 
different  TR  methods.  In  Table  1  some  TR  methods  being  applied  within  the  protec¬ 
tion  mechanism  are  referenced  to.  The  complete  list  and  description  of  the  protection 
methods  are  considered  in  [9]. 


Table  I.  Examples  of  TR  mcihods  used  in  the  protection  mechanism 


TR  method 

References 

Control  Flow  Checking 

114] 

Invariant  Checking 

110) 

Obfuscation  techniques 

17) 

Checksum  monitoring 

[2] 

Crypto  Guards 

[II 

Barrier  Slicing 

[6] 

Orthogonal  and  Continuous  Replacement 

15] 

300 


V.  Desnitsky  and  I.  Kotenko 


Each  TR  method  used  within  the  mechanism  implements  one  or  several  remote 
entrusting  principles  from  the  following  list: 

-Remote  attestation.  The  principle  assumes  embedding  a  specific  software  com¬ 
ponent  (monitor)  into  the  client  program.  The  monitor  gathers  data  characterizing  the 
program  dynamic  state  and  sends  them  to  the  trusted  server  for  their  checking.  The 
principle  is  realized  by  means  of  such  methods  as  invariant  checking,  control  flow 
checking,  checksum  monitoring  and  others  [1,  2,  7,  10,  14].  This  protection  principle 
supposes  the  fulfillment  of  a  special  detection  function  on  the  server. 

-  Code  splitting.  This  principle  lies  in  the  fact  that  some  code  segments  of  the  cli¬ 
ent  program  are  extracted  and  transferred  to  the  server.  The  goal  here  is  to  find  and 
protect  in  such  a  way  the  most  crucial  parts  of  code.  As  a  result  an  attacker  can  not 
directly  access  the  processes  running  these  code  segments  and,  hence,  is  not  able  to 
influence  them.  As  an  example,  barrier  slicing  method  [6]  implements  this  principle. 

-  Dynamic  replacement.  First,  the  principle  comes  to  regular  replacement  of  the 
monitor  embedded  into  the  client  program.  Second,  it  implements  replacement  of 
.some  program  components  critical  from  the  security  viewpoint.  Periodic  replacement 
in  both  considerations  targeted  at  impediment  to  attacks  on  the  protection  mechanism 
and  protected  program.  A  representative  example  of  this  principle  is  orthogonal  re¬ 
placement  method  [5].  This  method  supposes  realization  of  replacement  with  by 
means  of  creating  mutually  independent  (orthogonal)  versions  of  the  software  com¬ 
ponent  on  a  basis  of  various  obfuscation  techniques. 

In  contrast  to  existing  protection  mechanisms  such  as  Pioneer  115],  SWATT  [16], 
Genuinity  [12]  and  some  others,  which  accomplish  software  protection  on  the  basis  of 
client-server  architecture  and  particularly  implement  remote  attestation  principle,  the 
proposed  protection  method  [9]  is  remarkable  for  a  dynamic  character  of  protection. 
This  dynamism  is  described  by  the  following  properties:  dynamic  change  of  a  bundle 
of  applied  TR  methods;  dynamic  installation  and  enforcement  different  TR  methods 
modules  on  the  fly  without  suspending  the  protection  process.  The  choice  of  particu¬ 
lar  TR  methods  is  fulfilled  reasoning  from  their  characteristics  of  resource  consump¬ 
tion  and  protection  strength  they  provide. 


3  Problem  of  Trade-Off  between  Security  and  Performance 

The  problem  of  achieving  the  reasonable  trade-off  between  security  and  .scalability  is 
in  the  fact  that,  in  addition  to  granting  the  proper  security  level,  the  protection  mecha¬ 
nism  has  to  be  quite  scalable  to  support  protection  for  a  sufficiently  great  amount  of 
clients.  If  the  mechanism  is  insufficiently  scalable,  its  effectivene.ss  will  appear  to  be 
close  to  zero,  since  it  can  not  be  exploited  in  practice.  The  actions,  which  influence 
the  mechanism’s  .scalability,  are  primarily  those  ones  that  are  fulfilled  on  the  trusted 
server,  i.e.  verification  functions  and  other  procedures  supporting  the  TR  methods. 
The  complexity  of  these  actions  grows  proportionally  to  the  amount  of  clients  being 
served.  Therefore  reaching  a  good  scalability  requires  using  first  of  all  those  TR 
methods  that  do  not  contain  any  complex,  resource  consuming  computations  within 
the  trusted  entity. 

By  the  .scalability  aim  we  mean  a  requirement  that  the  dependency  between  the 
computational  complexity  of  the  needed  actions  on  the  trusted  server  and  the  quantity 
of  clients  being  fulfilled  simultaneously  should  be  close  to  a  linear  or  even  constant 


Security  and  Scalability  of  Remote  Entrusting  Protection  301 


function.  It  is  obvious  that  the  constant  dependency  is  not  feasible  in  practice,  how¬ 
ever  the  closer  the  dependency  to  con.stant  one,  the  better  .scalability  the  mechanism 
reaches.  More  concrete,  the  scalability  of  the  whole  protection  mechanism  comes  to 
the  issue  of  scalability  of  each  particular  TR  method. 

The  approach  presented  in  the  paper  consists  of  solving  the  following  tasks: 

•  Evaluation  of  resources  consumed  by  each  TR  method  on  the  trusted  server. 

•  Evaluation  of  security  {attack  resistance)  level  of  each  TR  method. 

•  Choosing  the  most  effective  (optimal)  combination  of  TR  methods  for  imple¬ 
mentation  under  specific  restrictions  on  available  server  resources. 

As  a  result,  an  optimal  is  a  combination  of  TR  methods  that  allows  achieving  the 
highest  scalability  of  the  mechanism,  having  the  proper  security  level  ensured. 

4  Problem  Statements 

For  convenience  and  uniformity,  let  us  describe  below  the  formal  expressions  specify¬ 
ing  the  problem  statement  to  select  TR  methods. 

(1)  Let  Af  be  a  set  of  all  TR  melhods  being  realized  wilhin  the  protection  tnecha- 
nism: 


M  =  I  nil  m2,  .m,,}. 


The  set  M  =  {  ///j  }  is  defined  ju.st  as  an  enumeration  of  all  the  used  protection  meth¬ 
ods  nil,  i  =  \....pi . 

(2)  Performance  determined  by  resource  consumption  function  can  be  defined  as 
p:  M  P,  where  P  is  a  subset  of  -  space  of  vectors,  where  r  is  a  number  of  the 
server  resource  types,  p  matches  each  protection  method  to  a  vector  of  values  of  its 
re.source  specific  metrics.  For  each  resource  type  r  a  constraint  C[?‘]  characterizing 
size  of  this  resource  is  determined  as  well.  Thus,  for  each  protection  method  ;«/,  its 
re.source  consumption  could  be  represented  as  a  vector 


(/>'(w,)./r  (///,) . p'iin,)). 


(3)  Security  level  is  defined  as  a  function  determining  a  degree  of  provided  protec¬ 

tion  for  each  TR  method:  .v:  M  — ►  5,  where  5  -  a  subset  of  R  characterizing  the  secu¬ 
rity  of  different  TR  methods  {?«)},  i  =  1 . n  ,  from  the  set  of  selected  (used)  methods. 

(4)  The  problem  statement: 

The  common  goal,  we  would  like  to  achieve,  is  represented  as: 


302 


V.  Desnitsky  and  I.  Kotenko 


According  to  this  formula,  it  is  required  to  find  a  combination  M  of  TR  methods 
that  allows  minimizing  the  total  resource  consumption  and  at  the  same  time  maximiz¬ 
ing  the  total  security  level.  In  general  case,  the  goal,  we  would  like  to  achieve,  is  a 
multi-criterion  optimization  problem,  which  we  suggest  to  bring  to  a  single  criterion 
one. 

As  re.source  consumption  function  is  defined  by  us  as  a  vector  function,  wc  sup¬ 
pose  here  to  minimize  some  norm  of  it.  There  are  several  possible  definitions  of  the 
norm  in  the  space  of  resource  consumption  vector  functions: 

■  A  single  component  that  is  the  most  critical.  Here,  I  I  equals  to  the 

value  of  minimal  component  piin^). 

■  A  distance  between  the  vector  of  the  total  resource  consumption  and  the  con¬ 
stant  vector  C  E  R'  characterizing  server  resources  available  for  protection 
methods. 

Let  us  consider  a  refined  .statement  of  the  problem  we  solve,  which  is  expre.ssed  by 
the  following  formulas: 


piM )  — >  min 


Here  by  p(M )  wc  mean  the  total  value  of  re.source  consumption  metric  for  a  combi¬ 
nation  M  of  TR  methods,  whereas  S  denotes  a  constraint  determining  the  minimal 
due  security  level  the  methods  should  provide.  Thus,  the  task  to  be  solved  is  to  choo.se 
a  set  of  protection  methods  that  the  resource  consumption  function  to  be  no  more  than 
a  .specific  constant,  having  the  proper  total  security  provided.  Constant  s  is  assumed 
to  be  determined  by  means  of  both  empirical  study  and  theoretical  analysis  of  resis¬ 
tance  of  the  protection  methods.  In  practice,  the  precise  value  could  be  specified  by 
the  designer/admini.strator  of  the  system  and  supposed  to  change. 

(5)  Computation  of  performance  and  security  metrics: 

Consider  how  pittii)  and  s{m^)  values  could  be  determined  for  each  protection 
method.  Estimation  of  resource  consumption  is  represented  by  the  following  ap¬ 
proaches  having  both  theoretical  and  empirical  peculiarities: 

■  On  the  theoretical  level,  each  TR  method  is  subjected  to  analysis  and  its 
model,  repre.senting  its  implementation,  is  constructed.  Such  a  model  contains 
merely  tho.se  operations  that  are  the  most  important  for  performance  view¬ 
point.  Resource  consumption  metrics  for  protection  method  asse.ssnient  are 
developed  as  well. 

■  On  the  empirical  level,  both  the  software  realization  of  this  model  on  a  high- 
level  programming  language  and  the  procedures  to  measure  the  resource 


Security  and  Scalability  of  Remote  Hntmsting  Protection 


303 


consumption  metrics  are  completed.  Computation  of  group  metrics  p  is  ful¬ 
filled  by  means  of  the  following  formulas: 


p'(M)=  '■(»),.) 


p  (M)  =  min{/7"(M  )  I  re  R], 


For  each  //?•  and  r  the  values  of  (ffi-  )  are  obtained  experimentally,  whereas  the 


values*  p  {ni  )  and  p  (M)  are  calculated  analytically. 


The  group  metrics  are  calculated  by  means  of  the  values  of  the  single  metrics. 
Therefore  the  quantity  of  experiments,  conducted  for  group  metric  computation, 
represents  a  linear  function  of  the  amount  of  protection  methods,  instead  of  an  expo¬ 
nential  one  otherwise. 

The  difficulty  of  s(mi)  determining  is  in  the  fact  that  security  according  to  its  na¬ 
ture  is  a  qualitative  characteristic  of  a  protection  method.  Meanwhile,  our  task  is 
supposed  to  contain  also  granting  some  quantitative  character  to  security.  The  aim  is 
to  get  a  possibility  in  different  cases  to  make  a  choice  of  the  most  preferable  (from 
security  viewpoint)  combinations  of  protection  methods. 

In  general  case  protection  level  of  a  TR  method  m\  is  meant  as  a  complexity  of  ac¬ 
complishment  of  an  attack  aimed  at  its  compromise.  This  approach  includes  attack 
complexity  estimation  for  each  TR  method.  In  practice,  however  it  is  considered  to  be 
infeasible  due  to  the  complexity  of  analysis  involved,  including  the  complexity  of 
estimating  the  attacker's  cognitive  processes,  which  are  the  core  elements  in  the  proc- 
e.ss  of  attack  fulfillment  by  the  intruder. 

We  have  proposed  a  technique  based  on  expert  judgments,  which  is  supposed  to 
collect  and  prtK'e.ss  the  opinions  of  experts  with  use  of  system  analysis  methods.  Each 
expert  slates  a  number  (from  I  to  10)  to  each  protection  method.  An  advantage  of  this 
approach  is  that  in  its  work  it  takes  into  consideration  all  knowledge  and  experience 
accumulated  hy  all  experts.  In  contrast  to  the  previous  approaches  this  one  does  not 
suppose  any  generalizations,  which  ultimately  introduce  extra  inaccuracy  into  the 
outcome.  Values  sitn^)  are  obtained  by  means  of  questioning  of  experts  and  calculat¬ 
ing  averaged  values  for  each  protection  method,  taking  into  account  both  a  priori  and 
a  posteriori  competence  of  every  expert  in  the  field  of  a  particular  protection  method. 

Values  of  group  metrics  of  protection  methods  for  combinations  s(M  )  are  calculated 
using  the  following  formula: 


5  Empirical  Study 

The  technique  of  combining  different  protection  methods  consists  of  the  following 
main  stages:  (1)  performance  evaluation,  (2)  security  evaluation,  and  (3)  determining 
the  most  effective  combination  of  protection  methods.  As  input  data,  a  set  of  TR 
methods  is  used.  As  output  data  a  set  of  combinations  of  TR  methods  is  produced. 


304 


V.  Desnitsky  and  I.  Kotenko 


To  evaluate  the  performance  of  TR  methods,  a  SW  prototype,  implementing  sev¬ 
eral  of  them,  including  control  flow  checking  (/M/),  invariant  checking  0n2),  barrier 
slicing  (nij)  and  orthogonal  replacement  (/n^)  has  been  realized.  On  a  base  of  this 
prototype  some  measurements  of  resource  consumption  have  been  conducted.  For 
each  TR  method,  a  highest  quantity  of  clients  that  can  be  served  simultaneously  is 
evaluated.  The  value  of  intensity  of  the  server  loading  is  also  measured.  This  intensity 
is  a  ratio  between  the  time  the  server’s  processor  is  loaded,  when  carrying  out  the 
protection  method,  and  the  entire  time  reserved  for  the  method. 

Fig.  1  demonstrates  some  results  of  the  experiments,  including  the  evaluation  of 
these  four  protection  methods.  Fig.  1  shows  dependencies  between  the  consumption 
of  the  re.source  r  and  the  amount  u  of  clients  which  can  be  .served.  Here  the  resource 
r  =  1  determines  the  metric  of  proce.s.sor  loading  intensity  (  /?' ),  whereas  C[1 1  repre¬ 
sents  a  constraint  of  the  whole  available  resource  volume.  p\M)  denotes  the  metric 
of  resource  consumption  for  a  combination  M  of  protection  methods. 


1 

P 


Fig.  I.  Dependencies  between  value  of  resource  consumption  and  amount  of  clients 

The  experiments  have  shown  that  in  practice  one  should  distinguish  one-time 
procedures  being  accomplished  by  the  server,  when  new  client  is  connecting  (in  par¬ 
ticular,  actions  on  connection  establishment,  client  authentication  or  crypto  key  agree¬ 
ment),  and  the  regular  actions  on  verification  of  clients.  Hence,  one  should  avoid 
simultaneous  mass  client  connections  to  avoid  strong  peak  loading. 

In  experiments  during  expert  questioning  [3],  the  data  from  ten  .security  experts 
have  been  received. 

Table  2  shows  the  generalized  estimations  of  security  level  for  some  of  the  meth¬ 
ods  investigated.  One  should  take  into  account  a  relativity  of  these  results.  Surely,  this 
evaluation  technique  can  not  be  exploited  as  a  proof  of  adequacy  of  the  protection 
mechanism  and  especially  to  compare  the  strength  of  this  mechanism  with  any  other 
SW  protection  means.  The  technique  under  consideration  represents  relatively  rough 
solution  to  evaluate  protection  methods,  which  adequacy  is  sufficient  for  TR  methods 


Security  and  Scalability  of  Remote  Entrusting  Protection 


303 


Table  2.  Results  of  security  evaluation  of  protection  methods 


TR  method 

Security  level 

Barrier  Slicing 

9,0 

Orthogonal  Replacement 

7,8 

Continuous  Replacement 

7,1 

Crypto  Guards 

6,2 

Control  Flow  Checking 

4,3 

Invariant  Checking 

3,3 

Obfuscation  technique:  opaque  predicates 

1,3 

Table  3.  Experimental  values  of  metric  processor  loading  intensity 


M 

mi 

m2 

ttu 

10 

8,7 

12 

59,9 

61,1 

20 

17,4 

14,3 

95,6 

81,5 

25 

21,8 

37,8 

- 

92,0 

50 

43,5 

35,7 

- 

- 

100 

87,1 

71,3 

- 

- 

combination  task  being  solved.  Thus,  as  a  whole,  this  solution  can  be  regarded  as  a 
supplement  to  security  evaluation  techniques  based  on  formal  approaches,  which  have 
their  own  drawbacks,  particularly,  as  a  rule,  they  are  characterized  by  a  significant 
complexity  in  implementation  and  further  analysis. 

Thus,  the  technique,  forming  the  search  of  optimal  combinations  of  TR  methods, 
comes  to  determining  some  numerical  data  characterizing,  first,  the  performance  for 
each  method  and,  seeond,  its  security  level. 

Table  3  contains  the  experimental  values  of  metric  obtained  for  different 
amount  of  clients  (u)  and  different  TR  methods  -  control  flow  checking  (//?/),  invari¬ 
ant  checking  (W2).  barrier  slicing  (m^)  and  orthogonal  replacement 

The  optimization  problem  .settled  in  Section  4  is  tackled  by  an  improved  exhaustive 
seareh,  supposing  a  restriction  of  combinations  under  consideration,  cutting  those 
ones  that  are  deliberately  not  optimal.  Note,  for  methods  m  ^  and  m4  for  some  //  values 
the  metric  values  are  not  specified,  that  is  for  this  amount  of  the  current  size  of  r'  this 
amount  of  clients  can  not  be  served. 


6  Conclusion 

In  the  paper  we  have  proposed  the  technique  determining  how  to  combine  various 
protection  methods  ba.sed  on  remote  entrusting.  The  technique  allows  addre.ssing  the 
problem  of  reaching  the  compromise  between  .scalability  and  security.  On  account  of 
objective  difficulties  of  correct  security  evaluation,  we  have  chosen  the  technique 
of  security  evaluation  ba.sed  on  expert  judgments.  The  technique  for  evaluating  the 
performance  of  protection  methods  comes  to  empirical  study,  where  resources 
consumption  values  are  obtained  as  metric  values.  Experiments  to  compute  the  values 
of  performance  metrics  as  well  as  to  question  the  experts  and  proce.ss  the  received 


306 


V.  Desnitsky  and  1.  Kotenko 


judgments  on  security  strength  of  protection  methods  were  carried  out.  As  a  future 
work,  we  supposed  to  search  and  construct  more  comprehensive  and  precise  tech¬ 
niques  of  performance  and  security  evaluation  and  perform  more  detailed  experiments 
to  choose  efficient  combinations  of  protection  methods. 

Acknowledgments 

This  research  is  partly  funded  by  the  EU  under  RE-TRUST  and  SecFutur  projects,  the 
grant  of  the  Russian  Foundation  of  Basic  Research  (Project  No.  10-01-00826)  and 
Program  of  fundamental  research  of  the  Department  for  Nanotechnologies  and  Infor¬ 
mational  Technologies  of  the  Russian  Academy  of  Sciences  (Contract  No. 3.2). 


References 

1.  Atallah,  M.,  Bryant,  E.,  Stytz,  M.:  A  survey  of  Anti-Tamper  Technologies.  The  Journal  of 
Defence  Software  Engineering  (2004) 

2.  Barbara,  D.,  Goel,  R.,  Jajodia,  S.:  A  checksum-based  corruption  detection  technique.  Jour¬ 
nal  of  Computer  Security  1 1(3)  (2003) 

3.  Beshelev,  S.D.,  Gurvich,  A.G.;  Mathematical-statistical  methods  for  expert  Judgments. 
Statistika  (1980) 

4.  Chappell,  B.L.,  Marlow,  D.T.,  Irey,  P.M.,  O’Donoghuc,  K.:  An  Approach  for  Measuring 
IP  Security  Performance  in  a  Distributed  Environment.  In:  Rolim,  J.D.P.  (ed.)  IPPS-WS 
1999  and  SPDP-WS  1999.  LNCS,  vol.  1586.  Springer,  Heidelberg  (1999) 

5.  Ceccato,  M.,  Preda,  M.,  Majumdar,  A.,  Tonella,  P.:  Remote  software  protection  by  or¬ 
thogonal  client  replacement.  In:  The  24th  ACM  Symposium  on  Applied  Computing  (2009) 

6.  Ceccato,  M.,  Preda,  M.,  Nagra,  J.,  Collberg,  C.,  Tonella,  P.:  Barrier  Slicing  for  Remote 
Software  Tnisting.  In:  The  IEEE  International  Working  Conference  on  Source  Code 
Analysis  and  Manipulation,  Paris,  France  (2007) 

7.  Collberg,  C.,  Thomborson,  C.:  Watermarking,  tamper-proofing,  and  obfuscation  tools  for 
software  protection.  IEEE  Transactions  on  Software  Engineering  28  (2002) 

8.  Freeman,  W.,  Miller,  E.:  An  Experimental  Analysis  of  Cryptographic  Overhead  in  Per¬ 
formance-Critical  Systems.  In:  The  7th  International  Symposium  on  Modeling,  Analysis 
and  Simulation  of  Computer  and  Telecommunication  Systems  (1999) 

9.  FP6  Project  RE-TRUST,  http :  /  /www .  re- trust .  org 

10.  Godoy,  G.,  Tiwari,  A.:  Invariant  Checking  for  Programs  with  Procedure  Calls.  In:  Palsberg, 
J.,  Su,  Z.  (eds.)  SAS  2009.  LNCS,  vol.  5673,  pp.  326-342.  Springer,  Heidelberg  (2009) 

1 1 .  Jain,  R.:  The  Art  of  Computer  Systems  Performance  Analysis:  Techniques  for  Experimental 
Design,  Measurement,  Simulation,  and  Modeling.  Wiley-Interscience,  New  York  (1991) 

12.  Kennell,  R.,  Jamieson,  L.H.:  Establishing  the  genuinity  of  remote  computer  systems.  In: 
The  1 2th  USENIX  Security  Symposium,  Washington,  DC,  USA  (2003) 

13.  Menasce,  D.A.:  Security  performance.  IEEE  Internet  Computing  7(3)  (2003) 

14.  Oh,  N.,  Shirvani,  P.P.,  McCluskey,  E.J.:  Control-Oow  checking  by  software  signatures. 
IEEE  Transactions  on  Reliability  5 1  (2002) 

15.  Seshadri,  A.,  Luk,  M.,  Shi,  E.,  Perrig,  A.,  Doom,  L.V.,  Khosla,  P.:  Pioneer:  verifying  code 
integrity  and  enforcing  untampered  code  execution  on  legacy  systems.  In:  The  Twentieth 
ACM  Symposium  on  Operating  Sy.stems  Principles.  ACM  Press,  New  York  (2005) 

16.  Seshadri,  A.,  Perrig,  A.,  Doom,  L.V.,  Khosla,  P.:  SWATT:  SoftWare-based  ATTestation 
for  Embedded  Devices.  The  IEEE  Symposium  on  Security  and  Privacy  (2004) 


A  Novel  Genetic  Approach  to  Provide 
Differentiated  Levels  of  Service  Resilience 
in  IP-MPLSAVDM  Networks* 


Wojciech  Molisz  and  Jacek  Rak 


Gdansk  University  of  Technology,  G.  Narutowicza  1  1/12, 
PL-80-233  Gdansk,  Poland 
{womol , j  rak} @eti . pg . gda . pi 


Abstract.  This  paper  introduces  a  novel  class-based  method  of  survivable  rout¬ 
ing  for  connection-oriented  IP-MPLS/WDM  networks,  called  MLS-GEN-H. 
The  algorithm  is  designed  to  provide  differentiated  levels  of  service  survivabil¬ 
ity  in  order  to  respond  to  varying  requirements  of  end-users.  It  divides  the 
complex  problem  of  survivable  routing  in  IP-MPLS/WDM  networks  into  two 
subproblems,  one  for  each  network  layer,  which  enables  finding  the  solutions  in 
a  relatively  short  time.  A  genetic  approach  is  applied  to  improve  the  quality  of 
results  by  solving  the  problem  iteratively. 

Modeling  results  show  that,  after  a  reasonable  number  of  iterations,  a  good 
solution  (up  to  22.55%  better  than  the  initial  one)  is  found  and  further 
improvement  is  hardly  possible. 

Keywords:  service  survivability,  IP-MPLS/WDM  networks,  routing,  differen¬ 
tiated  levels  of  service  resilience,  genetic  algorithms. 


1  Introduction 

Backbone  networks  are  migrating  from  synchronous  transmission  infrastructure  to 
next  generation,  high-traffic-volume  data  (e.g.:  IP-MPLS  or  IP/Ethernet)  over  optical 
transport  networks  (OTNs).  By  applying  wavelength  division  multiplexing  (WDM), 
OTNs  are  capable  of  carrying  many  independent  channels  (currently  160  or  320), 
over  a  single  optical  fiber  with  the  fastest  channels  supporting  a  data  rate  of  40  Gbps. 
Fiber  cuts  (the  most  typical  network  outages)  may  lead  to  service  disruption  and  huge 
data  and  revenue  losses.  Survivability,  i.e.  capability  to  deliver  essential  services  in 
the  face  of  failure,  or  attack,  is  a  key  concern  in  network  design.  There  are  two  ap¬ 
proaches  for  providing  survivability  of  connection-oriented  IP-over-OTNs:  protection 
and  restoration  [15].  In  the  protection  approach,  working  Ughtpaths  (being  sequences 
of  wavelengths  over  an  optical  network  with  fully  optical  processing  at  intermediate 
nodes)  are  protected  by  the  pre-computed  backup  paths,  applied  in  the  case  of  work¬ 
ing  path  failures.  Restoration  finds  dynamically  a  new  path,  once  a  failure  has 


*  This  work  was  partially  supported  by  the  Ministry  of  Science  and  Higher  Education,  Poland, 
under  the  grant  PBZ-MNiSW-02-lI/2007. 

1.  Kotenko  and  V.  Skormin  (Eds.):  MMM-ACNS  2010,  LNCS  6258,  pp.  307-320,  2010. 

©  Springer- Verlag  Berlin  Heidelberg  2010 


308 


W.  Molisz  and  J.  Rak 


occurred.  U.sually  we  distinguish  either  path  protection/resioration,  or  link  protec¬ 
tion/restoration  against  a  single  link  or  node  failure.  However,  intermediate  solutions 
also  exi.st,  like  e.g.  area  protection  [9],  partial  path  protection  [17],  or  segmented 
shared  protection  [16]. 

1.1  Related  Works 

Majority  of  publications  focus  on  providing  survivability  in  one  (usually  optical) 
layer.  Recently,  several  papers  have  appeared  on  survivability  models  of  IP-ovcr- 
WDM  networks.  Sahasrabuddhe,  Ramamurthy  and  Mukherjee  [15],  assuming  that 
each  backup  path  in  the  WDM  layer  is  arc-disjoint  with  the  respective  primary  path, 
analyzed  protection  in  the  WDM  layer,  and  restoration  in  the  IP  layer.  They  proposed 
four  integer  linear  programming  (ILP)  models  and  heuristics  to  find  .solutions. 
Pickavet  et  al.  [13]  discussed  three  approaches  to  interworking  between  the  network 
layers  and  two  efficient  coordinated  multilayer  recovery  techniques. 

Ratnam,  Zhou  and  Gurusamy  [14]  addressed  the  problem  of  efficient  multilayer 
operational  strategies  for  survivable  IP-over-WDM  networks  and  proposed  several 
joint  multiple  layer  restoration  schemes  with  intra-layer  and  inter-layer  signaling  and 
backup  re.source  sharing.  Bigos  et  al.  [4],  and  Liu,  Tipper  and  Vajanapoom  [8]  de¬ 
scribed  various  methods  for  spare  capacity  allocation  (SCA)  to  reroute  disrupted  traf¬ 
fic  in  MPLS-over-OTN.  Cui  et  al.  [5]  proposed  a  multilayer  restoration  and  routing  in 
IP-over-WDM  networks  (called  EROTRIP)  with  the  bottom-up  scheme  and  GMPLS 
token  for  signaling  between  the  layers.  Recently,  Harle  and  Albarrak  [7]  proposed  a 
model  of  differentiated  survivability  in  a  GMPLS-based  IP-over-OTN  network  with 
cooperation  mechanisms  between  control  planes  in  different  layers. 

1.2  Outline 

We  consider  here  a  survivable  IP-MPLS-over-OTN-WDM  network  protected  against 
a  single  node  failure.  Demands  for  IP  flows  are  given.  We  assume  M  service  classes, 
numbered  from  0  to  A/-I.  Class  m  =  0  represents  the  demands  for  which  all  service 
recovery  actions  must  be  performed  as  fast  as  f>ossible  (i.e.  in  the  WDM  layer).  For 
other  service  classes,  the  values  of  IP-MPLS  restoration  time  may  increase.  In  the  first 
stage  of  our  algorithm,  for  each  service  class  we  find  a  node-disjoint  pair  of  working 
and  backup  label  switched  paths  (LSPs).  Then  we  group  the  IP  demands  into  .service 
classes  on  IP  links.  In  the  next  stage  we  map  working  LSPs  of  each  cla.ss  onto  pro¬ 
tected  lightpaths  according  to  available  capacities  of  optical  links.  The  scope  of  WDM 
protection  depends  on  the  service  class  number:  in  the  highest  cla.ss  m  =  0,  each  two 
adjacent  WDM  links  of  the  working  lightpath  are  protected  by  a  backup  lightpath, 
while  in  the  lowest  class  (///  =  A/-I)  with  no  backup  lightpaths,  all  the  recovery  actions 
must  be  performed  at  the  IP-MPLS  layer.  We  assume  a  bottom-up  restoration  .strat¬ 
egy.  If  a  working  path  consists  of  more  than  one  link,  then  a  failure  of  the  lightpath 
transit  node  can  be  restored  in  the  optical  layer.  Connection.s  which  cannot  be  restored 
in  the  WDM  layer,  should  be  restored  in  the  IP  layer.  All  the  optimization  models  are 
NP-complete,  since  their  simpler  version  -  the  task  to  find  IDI  working  paths  in 
capacitated  networks  in  a  single  network  layer  is  NP-complete  [11].  Therefore  we 
propose  the  novel  genetic  approach,  extending  the  one  of  [10]. 


A  Novel  Genetic  Approach  to  Provide  Differentiated  Levels  of  Service  Resilience 


309 


The  rest  of  the  paper  is  organized  as  follows.  The  survivable  routing  problem  is 
sketched  in  Section  2.  Heuristic  algorithms  are  then  developed  to  solve  the  problems: 
the  MLS-H  algorithm  to  find  initial  solutions^  and  MLS-GEN-H  to  improve  them. 
Modeling  assumptions  are  described  in  Section  3.  Results  discussed  in  Section  4  show 
that  it  is  possible  to  decrea.se  the  total  network  cost  by  utilizing  the  technique  of 
genetic  algorithms. 

2  Survivable  Routing  of  IP-MPLS  Demands  in  the  IP-MPLSAVDM 
Network 

Due  to  the  complexity  of  the  original  problem  of  integrated  survivable  routing,  similar 
to  our  work  [10],  we  divide  here  the  problem  of  survivable  IP-MPLSAVDM  routing 
into  two  following  subproblems: 

a)  survivable  IP-MPLS  routing  consisting  of  determining  the  IP-MPLS  virtual  to¬ 
pology  and  finding  the  survivable  routing  of  IP-MPLS  demands, 

b)  .survivable  WDM  routing  (lightpath  routing  and  wavelength  assignment). 

Our  goal  is  to  provide  the  differentiated  levels  of  service  resilience  in  order  to  respond 
to  varying  requirements  of  end-users.  This  differentiation  is  defined  in  terms  of  the 
values  of  service  recovery  lime  and  the  frequency  of  performing  the  time-consuming 
recovery  actions  in  the  IP-MPLS  layer.  That's  why  we  introduce  M  service  classes, 
numbered  from  0  to  A/-L  Class  m  =  0  comprises  demands,  for  which  the  time  of  ser¬ 
vice  recovery  and  the  frequency  of  recovery  actions  in  the  IP-MPLS  layer  mast  be 
minimized.  For  other  service  classes,  these  values  are  allowed  to  increase. 

In  order  to  achieve  our  goal,  the  number  of  working  LSP  links  should  depend 
on  the  service  class  //?,  and  is  determined  as: 


(I) 


where:  |//^ 


is  the  number  of  arcs  of  the  end-to-end  shortest  path  between 
the  source  and  destination  nodes  of  the  r-th  IP-MPLS  demand 


m  is  the  class  of  a  demand  and  M  is  the  number  of  service  classes. 


working  LSP 

working  lightpath  for  working  LSP 


backup  LSP 

backup  Itghtpaths  for  working  LSP 


-  unprotected  lightpaths  for  backup  LSPs 


Fig.  1.  Example  IP-MPLSAVDM  survivable 
routing  (class  m  =  0) 


Fig.  2.  Example  IP-MPLS/WDM 
survivable  routing  (class  ni  =  M-1 ) 


310 


W.  Molisz  and  J.  Rak 


It  is  clear  from  the  formula  (1),  that  any  working  LSP  for  the  class  m  =  0  demand  is 
established  by  a  direct  IP-MPLS  link,  as  shown  in  Fig.  1.  This  implies  in  turn  that  no 
time-consuming  IP-MPLS  recovery  actions  will  take  place.  On  the  contrary,  for  the 
class  m  =  M-1,  each  link  of  the  working  LSP  will  be  mapped  onto  a  single-link  WDM 
lightpath  (Fig.  2),  implying  frequent  recovery  actions  in  the  IP-MPLS  layer. 

Similar  to  [10],  the  objective  of  the  subproblem  (a)  is  to  find  the  survivable  LSPs, 
where  each  working  LSP  is  protected  by  the  end-to-end  backup  LSP  having  no  com¬ 
mon  transit  nodes  with  the  respective  working  LSP. 

Fast  service  reeovery  in  the  WDM  layer  is  achieved  here  by  limiting  the  scope  of 
lightpath  protection.  For  that  purpose  we  determine  the  number  of  backup  lightpaths 
protecting  the  given  working  lightpath  as: 


4  = 


UJ-1 
M  -1 


xm+ 1  ;r^  I  — 1 


(2) 


where:  \7t  I  number  of  arcs  of  the  shorte.st  path  between  the  lightpath 

end-nodes;  all  the  other  symbols  have  the  same  meaning  as  in  ( 1 ). 

From  the  formula  (2),  one  can  observe  that  S„,  decreases  linearly  with  the  increase 
of  service  class  number  m.  In  particular,  it  means  that,  for  the  class  m  =  0,  any  backup 
lightpath  protects  two  adjacent  links  of  the  working  lightpath,  as  shown  in  Fig.  1, 
while,  for  the  class  m  =  M-1,  there  is  no  backup  lightpath  for  a  given  working  light¬ 
path  and  all  the  recovery  actions  must  be  performed  in  the  IP-MPLS  layer  (Fig.  2). 
However,  due  to  limitations  on  the  number  of  working  LSP  links  in  the  IP-MPLS 
layer  (implying  the  decrease  of  the  length  of  the  working  lightpath  with  the  increase 
of  the  service  class  number  m,  as  given  in  Eq.  1),  the  real  scopes  of  WDM  protection 
(measured  in  kilometers  of  fibers)  remain  at  the  same  low  level,  independent  of  the 
service  class  number.  This  in  turn  provides  fast  service  recovery  in  the  WDM  layer 
independent  of  the  service  class  number.  The  only  exception  is  for  the  class  m  -  M-\ 
with  no  backup  lightpaths  in  the  WDM  layer. 

The  backup  LSPs  are  grouped  into  service  classes  and  mapped  onto  the  unpro¬ 
tected  lightpaths.  The  basic  MLS-H  algorithm  is  given  in  Fig.  3. 

Steps  1-5-3  arc  responsible  for  determining  the  survivable  IP-MPLS  routing,  while 
Steps  4-5-6  are  used  to  find  the  survivable  routing  in  the  WDM  layer.  Since  each  .sub¬ 
problem  considered  here  is  NP-complete,  we  have  used  only  the  heuristic  approach  in 
computations.  Due  to  the  limitations  on  the  size  of  the  paper,  the  re.spective  ILP  for¬ 
mulations  may  be  found  in  the  electronic  version  at  [20]. 

However,  finding  the  solution  to  the  survivable  IP-MPLS  routing  problem  in  each 
network  layer  separately,  as  given  in  the  MLS-H  algorithm  from  Fig.  3,  certainly 
leads  to  suboptimal  solutions.  To  overcome  this  problem,  in  this  paper  we  propose  to 
use  the  metaheuristic  approach  based  on  genetic  programming  to  improve  the  quality 
of  results  by  solving  the  problem  iteratively.  Any  genetic  algorithm  is  a  domain- 
independent  approach  based  on  the  mechanisms  of  natural  selection  and  natural  ge¬ 
netics  [6].  Its  main  advantage  is  the  ability  to  perform  the  parallel  search  when  finding 
the  best  solution  as  well  as  the  adaptability  to  the  problem. 


A  Novel  Genetic  Approach  to  Provide  Differentiated  Levels  of  Service  Resilience 


311 


Input  WDM  layer  topology  F  =  {N,  A),  where  N  and  A  are  the  sets  of  nodes  and  arcs; 

A  set  ID//.I  of  IP-MPLS  demands,  each  demand  d,  given  by  a  quadruple 
di={j),,  qt,  m,  where  p,,  q^  ni  J{p,)  are:  the  source  node,  the  destination 
n(xle,  the  service  class  number  and  the  requested  capacity,  respectively. 

Output  Survivable  multilayer  routing  of  demands 

Step  /  Create  the  matrix  S  of  costs  each  cost  equal  to  the  length  of  WDM  arc  a^. 

Step  2  For  each  demand  dt,  llnd  a  pair  of  working  and  backup  LSPs  using  Bhandari's 

algorithm  |3]  and  the  matrix  E  of  arc  costs. 

Step  3  Divide  the  working  LSPs  into  S  regions  (Hq.  I)  and  replace  each  part  of  the 

working  LSP,  determined  by  the  given  region,  with  a  direct  IP-MPLS  link. 

Step  4  Find  the  working  lightpaths  carrying  the  IP-MPLS  working  paths,  using  the 
Dijkstra's  algorithm  [3]  and  the  standard  distance  metrics,  treating  the  aggregated 
flows  from  the  same  service  class  m  between  the  end-nodes  of  the  IP-MPLS 
virtual  links  v^,  found  in  Step  3,  as  the  demands  for  the  WDM  layer. 

Step  5  Divide  each  working  lightpath  into  S„,  regions,  as  given  in  Eq.  2,  and  provide 
each  region  with  a  dedicated  backup  lightpath.  For  that  purpose,  replace  each 
part  of  the  working  lightpath,  determined  by  the  given  region,  with  a  pair  of 
nixie-disjoint  paths,  found  using  Bhandari's  algorithm  . 

Step  6  Provide  each  aggregated  IP-MPLS  backup  flow  between  the  end-nodes  and 
of  the  IP-MPLS  layer  virtual  link  \v  with  the  unprotected  WDM  lightpath*. 

if  finding  any  lightpath  is  not  feasible  due  to  the  lack  of  resources,  then  reject  all  the  end-user 
demands,  for  which  the  respective  paths  were  to  be  groomed  into  the  given  lightpath 


Fig,  3.  The  basic  MLS-H  algorithm  to  find  the  survivable  routing  of  IP-MPLS  demands 


Any  genetic  algorithm  starts  with  finding  an  initial  population  of  \CH\  chromo¬ 
somes^  each  chromosome  typically  repre.sented  by  a  binary  vector.  Each  next  iteration 
is  to  find  a  new  population  of  \CH\  chromosomes,  by  choosing  the  best  ones  from  the 
current  population  as  well  as  from  the  .sets  of  \CRS\  and  IML^Tl  new  chromosomes, 
obtained  in  the  crossover  and  mutation  operations,  respectively.  In  a  single  crossover 
operation,  two  chromosomes,  randomly  chosen  from  the  current  population,  are  used 
to  prodtice  a  new  pair  of  chromosomes.  Each  time,  a  crossover  point  is  selected  ran¬ 
domly  within  the  length  of  a  chromosome,  and  the  respective  f^enes  are  exchanged 
with  each  other. 

Another  operation  -  tnutation,  unlike  crossover,  makes  changes  within  an  individ¬ 
ual  chromosome,  randomly  chosen  from  the  set  of  lC/71  population  chromosomes, 
rather  than  across  a  pair  of  chromosomes. 

In  order  to  adapt  the  genetic  approach  to  solve  the  IP-MPLSAVDM  survivable 
routing  problem,  the  following  assumptions  were  made: 

Chromosome 

A  single  chromo.some  was  formed  by  a  matrix  E  of  costs  9,  of  arcs  Of,  =  (/,  j)  used 
when  finding  the  working  and  backup  LSPs.  The  quality  of  a  chromosome  was  meas¬ 
ured  in  terms  of  the  total  link  capacity  utili/.ation  ratio  by  finding  the  solution 
to  the  respective  IP-MPLSAVDM  survivable  routing  problem,  using  the  MLS-H  algo¬ 
rithm  (Fig.  3)  with  the  costs  of  network  arcs  a^  stored  in  the  chromo.some. 


312 


W.  Molisz  and  J.  Rak 


Initial  Population 

The  initial  population  of  \CH\  chromosomes  was  formed  by  \CH\  matrices  E  of  arc 
costs  each  matrix  obtained  by  introducing  the  random  modifications  to  the  matrix 
^of  the  reference  costs  of  WDM  arcs 

Crossover 

This  operation  was  performed  on  a  pair  of  randomly  chosen  chromosomes  ch^  and 
chft  to  obtain  a  new  pair  of  chromosomes.  A  point  of  crossover  was  randomly  deter- 
mined  first.  The  crossover  operation  assumed  the  exchange  of  parts  of  the  symmetric 
matrix  E  of  arc  co.sts,  as  given  in  Fig.  4. 


Exchange  of 

■ 

genes  * 

chromosome  ch^,  chromosome  che  chromosome  ch^  chromosome  chg 

Fig.  4.  Example  crossover  operation  in  MLS-GEN-H  algorithm 


Input 

Output 

WDM -layer  topology  F  =  (A^,  A)\  A  set  of  IP-MPLS  layer  demands  D/p,  each 
demand  given  by  a  quadruple  d,=  {pi,  q,,  where  qi,  m,  Jlpi)  are: 

the  source  node,  the  destination  node,  the  service  class  number 
and  the  requested  capacity,  respectively;  the  number  of  iterations  ic. 

Survivable  multilayer  routing  of  demands. 

Step  1 

Set  /  =  0. 

Step  2 

Create  the  initial  population  of  \CH\  chromosomes. 

Step  3 

Obtain  1C/?5I  new  chromosomes  by  applying  the  crossover  operation,  each 
such  operation  for  a  randomly  chosen  pair  of  exisiing  chromosomes 
from  the  population. 

Step  4 

Obtain  \MUT\  new  chromosomes  by  using  the  mutation  operation,  each  .such 
operation  for  one  chromosome  randomly  chosen  from  the  population. 

Step  5 

Measure  the  quality  of  \CRS\  +  \MUT\  new  chromosomes  by  executing 
the  MLS-H  algorithm  once  for  each  given  chromosome  (matrix  £). 

Step  6 

Choose  1C//1  out  of  \CH\  +  \CRS\  +  \MUT\  best  chromosomes  to  form 
the  new  population. 

Step  7 

If  /  =  ic  then  return  the  best  solution  from  the  current  population 
el.se 

Step  7. 1  Set  /  =  /  +  1 . 

Step  7.2  Go  to  Step  3. 

Fig.  5.  The  MLS-GEN-H  algorithm 


Mutation 

During  a  single  mutation  operation^  a  randomly  chosen  gene  gei  =  (/,  j)  of  a  given 
randomly  cho.sen  chromosome,  being  the  cost  of  respective  arc  «/,  =  (/,  j),  was 


A  Novel  Genetic  Approach  to  Provide  Differentiated  Levels  of  Service  Resilience 


313 


assigned  a  random  value  from  the  range  (0,  where  was  the  length  of  the 

longest  arc  in  the  WDM  layer.  Since  each  cost  matrix  £*  was  symmetrical,  the  same 
random  value  was  set  to  the  gene  ge2  =  0,  0- 

The  MLS-GEN-H  algorithm  is  pre.sented  in  Fig.  5. 

The  algorithm  first  creates  the  set  of  \CRS\  initial  chromosomes  (Step  2).  Each  it¬ 
eration  of  the  MLS-GEN-H  algorithm  is  formed  by  the  execution  of  Steps  3-5-7. 
In  Steps  3-5-4,  \CRS\  and  \MUT\  new  chromosomes  are  prcxiuced  during  the  crossover 
and  mutation  operations,  respectively.  In  Step  5,  the  quality  of  each  new  chromosome 
is  verified  by  executing  the  MLS-H  algorithm  from  Fig.  3.  Finally,  the  best  \CH\  out 
of  IC//I -I- 1C/?5I -f  lA/^yn  chromosomes  are  chosen  to  form  the  new  population. 
The  algorithm  terminates  after  reaching  the  given  number  of  iterations  defined 
by  the  ic  variable  and  returns  the  best  solution  from  the  la.st  population. 

The  MLS-GEN-H  algorithm  has  the  polynomial  computational  complexity  of 
O(IAI^),  since  in  Step  2  it  executes  ic  {\CRS\-\-\MUT\)  times  the  MLS-H  algorithm  of 
complexity  (9(1M^)  to  check  the  quality  of  new  chromo.somes.  Additionally,  each  opera¬ 
tion  of  cros.sover  and  mutation  requires  0(IA1“)  and  6^[1)  time,  accordingly. 

3  Modeling  Assumptions 

The  modeling  was  to  evaluate  the  properties  of  the  proposed  approach  regarding 
the  following  characteristics: 

a)  the  average  length  and  the  average  number  of  links  of  working  and  backup  paths, 

b)  the  total  number  of  broken  connections  and  the  average  value  of  service  restora¬ 
tion  time,  measured  in  a  single  simulation  scenario. 

The  results  additionally  include  the  ratio  of  improvement  in  solution  quality  for 
the  genetic  approach  as  a  function  of  the  iteration  number,  measured  as  the  decrease 
in  the  total  number  of  channels,  needed  to  provide  the  class-based  survivable  routing 
for  the  best  solution  in  each  next  population.  They  are  presented  for  four  networks, 
namely,  the  European  COST  239  Network,  the  Italian  Network,  the  NSF  Network  and 
the  U.S.  Long-Distance  Network  (see  Figs.  6-5-9). 


Fig.  6.  European  COST  239  Network  [IS] 


Fig.  7.  Italian  Network  [1] 


314 


W.  Molisz  and  J.  Rak 


Fig.  8.  NSFNeiwork  [121 


Fig.  9.  U.S.  Long-Distance  Network  [19] 


All  the  WDM  layer  links  were  assumed  to  have  32  channels.  Channel  capacity  unit 
was  considered  to  be  the  same  for  all  the  links.  Nodes  had  the  integrated  functionality 
of  optical  cross  connects  (OXCs)  in  the  optical  layer  and  of  the  IP-MPLS  routers. 
OXCs  were  assumed  to  have  a  full  wavelength  conversion  capability. 

Time  of  service  restoration  in  the  WDM  layer  comprised:  time  to  detect  a  failure, 
link  propagation  delay,  time  to  configure  backup  lightpath  transit  nodes  and  message 
processing  delay  at  network  nodes  (including  queuing  delay).  The  recovery  actions, 
that  had  to  be  finalized  in  the  IP-MPLS  layer,  additionally  included  the  following: 

-  time  to  determine  that  the  WDM  layer  is  not  able  to  restore  the  affected  flow 
(i.e.  the  time  of  unsuccessful  recovery  in  the  WDM  layer  equal  to  the  time 
needed  to  send  the  NODE  FAIL  message  to  the  lightpath  end- nodes) 

-  time  to  reroute  the  affected  flow  in  the  IP-MPLS  layer  comprising: 

■  time  to  detect  the  failure  in  the  IP-MPLS  layer  which  includes  the  time 

to  transfer  the  recovery  token  to  the  WDM  layer.  In  simulations,  the  value 
of  -  20  ms  was  used,  as  defined  in  [2], 

■  time  to  send  the  notification  to  the  working  LSP  source  node  along 
the  working  LSP  links  about  the  failure,  based  on  the  aggregate  transmission 
delay  of  the  corresponding  working  lightpaths  and  message  processing  delay 

IP 

^MPD~  working  LSP  transit  nodes  (as  given  in  [2]), 

■  time  to  configure,  test  and  set  up  the  forwarding  table  at  the  respective  LSRs 

set  to  10  ms  (following  [2]), 

-  time  to  activate  the  backup  LSP  being  the  aggregate  time  to  activate  all  the 
respective  unprotected  lightpaths  carrying  the  backup  LSPs. 

For  each  IP-MPLS  layer  connection,  the  following  properties  were  assumed: 

-  demands  from  M=5  service  classes  with  protection  against  a  single  node  failure, 

-  the  demanded  capacity  equal  to  1/8  of  the  WDM  link  channel  capacity, 

-  protection  against  a  single  node  failure, 

-  provisioning  100%  of  the  requested  bandwidth  after  a  failure, 

-  a  demand  to  assure  unsplittable  flows  in  both  the  IP-MPLS  and  the  WDM  layer, 

-  the  di.stanee  metrics  and  the  Bhandari's  algorithm  [3]  of  finding  A-node  disjoint 
paths  (here  k  =  2)  in  all  path  computations,  except  for  the  unprotected  lightpaths 
for  the  backup  LSP  link.s,  found  by  the  Dijkstra’s  shortest  path  algorithm  [3], 

-  the  number  of  generated  populations  set  to  ic  =  1 000, 


A  Novel  Genetic  Approach  to  Provide  Differentiated  Levels  of  Service  Resilience 


315 


-  the  size  each  population  equal  to  \CH\  -  20  chromosomes, 

-  number  of  chromosomes  achieved  during  the  crossover  and  mutation  operations 
in  each  iteration:  IC/?5I  =  10  and  \MUT\  =  10,  accordingly, 

-  percentage  of  chromosome  genes  changed  during  the  mutation  operation:  10%, 

-  type  of  mutation:  random  value  insertion, 

-  the  three-way  handshake  protocol  of  service  restoration  in  the  1P~MPLS  and 
WDM  layer  (the  exchange  of  NODE  FAIL,  SETUP  and  CONFIRM  messages). 

However,  for  the  analyzed  MLS-GEN-H  algorithm,  the  time  needed  to  perform 
k  =  lOCK)  iterations  using  a  Pentium  IV  2.4  GHz  workstation  with  512  MB  RAM  was 
up  to  one  week  for  a  single  demand  set  (for  the  case  of  the  U.S.  Long  Distance  Net¬ 
work  with  the  size  of  a  demand  set  equal  to  100%  node  pairs).  For  this  reason,  for  any 
of  the  investigated  network,  computations  were  done  for  a  single  demand  .set  only. 

The  algorithm  of  a  single  modeling  scenario  is  shown  in  Fig.  10. 


F-]xeciiie  the  following  steps: 

Step  I  Randomly  choose  IO//*l  pairs  </,)  of  mxlcs  (1/VI/M  demands  for  each  service  class)  . 
Step  2  Try  to  establish  the  survivable  connections  using  the  MLS-GHN-H  algorithm. 

Step  3  Store  the  ratio  of  link  capacity  utilization  and  the  lengths  of  paths. 

Step  4  u  times  simulate  random  failures  of  single  nodes.  For  each  failure,  restore  the  broken 
connections  and  memorize  the  values  of  connection  restoration  time. 

in  each  .scenario,  u  =  J(X)  assumed.  The  number  of  demands  10/^1  w  as  set  to  2S.  75  or  of  all  the 

fteiwork  node  pairs  chosen  randomlv.  accordinfily. 


Fiji.  10.  Research  plan 


4  Modeling  Results 

4.1  Average  Path  Lengths  and  Numbers  of  Links  of  Connection  Paths 

Fig.  1 1  show.s  the  average  lengths  of  working  and  backup  LSPs  as  a  function 
of  the  service  class  number,  while  Fig.  12  gives  the  respective  numbers  of  LSP  links. 
Table  1  shows  the  lengths  of  the  95%  confidence  intervals  of  the  average  path  length. 
Independent  of  the  service  class  number  nu  the  lengths  of  the  IP-MPLS  layer  working 
and  backup  paths  remain  at  the  same  level,  eharaeteristie  to  path  protection  .scheme. 
The  average  number  of  IP-MPLS  layer  working  path  links,  defined  in  Eq.  I,  de¬ 
creases  with  the  decrease  of  the  service  class  number  m  (Fig.  12),  resulting  in  less 
frequent  time-consuming  recovery  actions  in  the  IP-MPLS  layer  for  more  important 
service  classes.  Since  each  link  of  the  backup  LSP  is  e.stablishcd  as  the  one-hop  light- 
path,  the  average  number  of  backup  LSP  links  remains  at  the  .same  level,  independent 
of  the  service  class  number. 

Fig.  13  shows  the  average  lengths  of  WDM  layer  lightpaths  as  a  function  of  a  ser¬ 
vice  class  number,  while  Fig.  14  gives  the  numbers  of  WDM  layer  path  links.  Table  2 
presents  the  lengths  of  the  95%  confidence  intervals  of  the  average  lightpath  length. 
The  average  length  of  backup  lightpaths  remains  at  the  same  level,  independent  of  the 
service  class  number.  However,  the  average  length  of  working  lightpaths  decreases 


316 


W.  Molisz  and  J.  Rak 


«  3000  ■ 

OL 

i/i 

^  2000  ■ 
I*  1000  • 
0 


-wortnogLSPs  (NSF) 

•  worliingLSPa  (Itsltan) 

'  O- 


•  -O  •  backup  LSPs  (NSP) 

•  o  •  backup  LSPa  (Kakany 

t  _  I 

A-r-rP-iv-O-  - 


-  -m-  -  worktng  LSP(  (NSP) 

-  o  -backup  LSPa  (NSP) 

.  ^  .  working  LSP»  (Rakan) 

-  O.  -  backup  LSPa  (Ralian) 

1  o...;.. 

(  O - • 

.  U  ~  l-  - 

1  ' 

- 

(  ( 

1  1 

class  0  class  1  class  2  class  3  class  4 


Fig.  1 1.  Average  length  of  LSPs 


Fig.  12.  Average  number  of  LSP  links 


Table  1.  Lengths  of  95%  confidence  intervals  for  the  average  length  of  LSPs  [km] 


network 

working  LSPs 

backup  LSPs 

class  0  : 

class  1  i  class  2  |  class  3 

class  4 

class  0 

class  1  ;  class  2  cla.ss  3  i  class  4 

NSF 

160.30 

161.38:  173.98  1  176.46. 

175.28 

•  i 

1 204.80]  1 79.38  [  18 1.08' 175.13 

Italian 

"'32.34'] 

31.84  *  33^08  i  33.35  ' 

IxiT 

• 

’  78.08  ^  5rM"i  59;7"4  l  50.26  ^ 

5000 

E 

—  4000 
£ 

J  3000 

2  2000 
5 

”5  1000 


~  -m-  -  working  kghipath  (NSP)  -  O  -  backup  Ughipatn  (NSP) 

6  - 

-  «-  •  working  ligmpath  (NSF)  •  O  «  backup  kghipath  (NSF) 

•  ^  -  working  kgMpath  (Kalian)  •  O  -  backup  HgMpath  (Nakan) 

1 

£  4 

1 

-  ^  -  work  mg  ligNpath  (Nakan)  -  O  -  backup  hghtpath  (Nakan) 

-  -r 

__  L^__L  ! - 

o*  •  *1*  :  :h(:  :  :k  .  .  o.  .  .  <  ,  ,  i 

__i^i - 1_  1  -1 - 

1  1 

1 - ^  ■  -iv  . 

«  2 

1 

^  0 

-  r  f  - 

.  1  ♦  — I-— 

1  1  1  1  ■ 

1  1  1  1 

Fig.  13.  Average  length  of  lightpath 


Fig.  14.  Average  number  of  lightpath  links 


Table  2.  Lengths  of  95%  confidence  intervals  for  the  average  length  of  lightpaths  [km] 


network 

working  lightpaths 

backup  lightpaths 

class  0 

f  1 

class  1 

[ 

i  class  2  ; 

:  class  3  ! 

1  .  . .  ; 

class  4 

class  0 

1  class  1  class  2  i  class  3  i  class  4 

NSF 

185.10 

^151.11 

.  128.69 

I  121.62, 

56.28 

170.67 

i231.90|212.76^322.21  ^  - 

Italian 

27  .15  ' 

'  18.89 

12.32 

i  11.15 

6.61 

15;75  ^ 

1  32.78  i  24.61  26 J9  ^  - 

Fig.  15.  Average  length  of  unprotected 
lightpaths 


Fig.  16.  Average  number  of  unprotected 
lightpath  links 


A  Novel  Genetic  Approach  to  Provide  Differentiated  Levels  of  Service  Resilience 


317 


with  the  increase  of  service  class  number.  This  is  due  to  the  fact  that  with  the  increase 
of  the  service  class  number,  the  number  of  IP-MPLS  layer  working  LSP  links  in¬ 
creases,  and  each  link  of  the  working  LSP  is  realized  by  a  shorter  WDM  lightpath. 

Fig.  15  shows  the  average  lengths  of  unprotected  lightpaths  realizing  the  backup 
LSPs  as  a  function  of  the  service  class  number,  while  Fig.  16  gives  the  respective 
numbers  of  LSP  links.  Independent  of  the  analyzed  network,  the  average  length 
of  the  unprotected  lightpath,  each  unprotected  lightpath  realized  by  a  direct  WDM 
layer  link  (Fig.  16),  remains  at  the  same  level  for  all  the  service  classes. 

4.2  Service  Recovery  Actions 

Fig.  17  shows  the  aggregate  numbers  of  service  recovery  actions  for  both  the  IP- 
MPLS  and  the  WDM  layer,  measured  in  a  single  .scenario.  It  shows  that,  with  the 
increase  of  the  service  class  number,  the  number  of  recovery  actions  in  the  IP-MPLS 
layer  increases,  while  the  number  of  recovery  actions  in  the  WDM  layer  decreases. 
For  the  class  m  =  0,  it  implies  that  the  WDM-layer  recovery  actions  are  sufficient  to 
handle  all  the  failure  cases  and,  as  a  result,  they  provide  fast  service  recovery.  For  the 
other  service  classes,  with  the  increase  of  the  number  of  IP-MPLS  working  path  tran¬ 
sit  nodes,  the  frequency  of  IP-MPLS  recovery  actions  gets  increased. 


I 


T3 


-  •  WOM  layvr  (NSP)  -  -O  •  IP  layer  (NSFl 

•  •  WOM  layer  (ttelren)  .  o  .  ip  |«y«r  (ttahan) 


Class  0  class  1  class  2  class  3  class  4 


Fig.  17.  Total  number  of  restored 
connections 


Fig.  18.  Average  values  of  service 
restoration  time 


Table  3.  Lengths  of  95%  confidence  intervals  for  the  average  values  of  connection  restoration 
time  [ms] 


network 

WDM  layer 

IP-MPUS  layer 

class  0 

class  1  class  2  ;  class  "S 

class  4 

class  0  class  1 

class  2  '  class  3 

:  class  4 

NSF 

2.24 

2.94  2.91  ;  3.90 

- 

-  ^  4.96 

2.83  1.92 

1.68 

Italian 

0.24 

^  0.40  i  0.27  ^  0  00 

- 

-  "  0.84 

0.70/0.74 

0.77 

The  average  values  of  service  recovery  time  in  the  WDM  layer,  shown  in  Fig.  18, 
remain  at  the  .same  low  level  (typical  to  the  link  protection  scheme).  This  is  true  inde¬ 
pendent  of  the  .service  class  number,  since  similar  scopes  of  WDM-layer  protection  are 
provided  for  all  the  .service  classes.  In  each  case,  the  values  of  service  restoration  time 
in  the  IP-MPLS  layer  arc  several  times  greater  than  in  the  WDM  layer. 


318 


W.  Molisz  and  J.  Rak 


Fig.  19  shows  the  aggregate  values  of 
service  recovery  time  as  a  function  of 
the  service  class  number.  Each  aggre¬ 
gate  value  was  calculated  as  the  sum  of 
all  the  values  of  connection  restoration 
time,  measured  in  a  single  simulation 
scenario.  These  results  give  another 
proof  of  effieieney  of  the  intrcxlueed 
approach.  The  ratio  between  classes  m  = 

0  and  m  =  4  was  even  of  order  1:15  (for 
the  Italian  Network).  Aggregate  values  of  service  restoration  time  for  the  highest 
service  class  {m  =  0)  were  always  the  shortest  ones. 

4.3  Ratio  of  Solution  Quality  Improvement 

Fig.  20  shows  the  advantage  of  the  MLS-GEN-H  genetic  approach  over  the  reference 
MLS-H  method  of  solving  the  survivable  routing  problem  in  each  network  layer  ex¬ 
actly  once.  The  ratio  of  solution  quality  improvement  is  given  here  in  terms 
of  the  decrea.se  of  the  total  number  of  WDM  link  channels,  required  to  provide 
the  survivable  routing  of  demands  from  the  set  Djp,  as  a  function  of  the  population 
number.  For  each  /-th  population,  this  ratio  is  given  for  its  best  chromosome. 

Due  to  maintaining  a  certain  number  (here  \CH\  =  20)  of  the  so  far  calculated  best 
chromosomes  for  computations  in  each  next  iteration  and  performing  the  parallel 
search  in  the  solution  space,  the  proposed  MLS-GEN-H  genetic  algorithm  obtained 
the  results  up  to  22.55%  better  (Italian  Network),  compared  to  the  results  of  the  refer¬ 
ence  MLS-H  approach.  In  this  ease,  632  against  initial  816  link  channels  were 
needed.  They  also  show  that,  after  a  reasonable  number  of  iterations  (e.g.  400),  a  good 
solution  may  be  found  and  further  improvement  is  hardly  possible. 


Fig.  19.  Aggregate  values  of  service 
restoration  time 


Fig.  20.  The  ratio  of  solution  quality  improvement  (network  load:  25%  node  pairs  chosen  ran¬ 
domly:  population  si/e:  20) 

Fig.  21  shows  the  results  for  the  U.S.  Long-Distance  Network  for  the  ease  of  vary¬ 
ing  network  load.  They  are  presented  for  four  sizes  of  demand  set  D//>,  eonsisting  of 
randomly  chosen  25,  50,  75  and  100%  of  all  the  network  node  pairs,  aecordingly. 
They  show  that  the  average  number  of  iterations  needed  to  obtain  a  good-quality 
solution  increases  with  the  increase  of  the  network  load. 


A  Novel  Genetic  Approach  to  Provide  Differentiated  Levels  of  Service  Resilience 


319 


30% 


0% - ^ - r - ^ - — . - ^ - T ^  ^ ^  - . - ^ ^ - , - , - , - 

1  101  201  301  401  501  601  701  801  901 

popuialion  number 


Fig.  21.  The  ratio  of  solution  quality  improvement  for  U.S.  Long-Distance  Network  (various 
network  loads;  population  si/.e:  \CH\  =  20) 


Table  4.  Numbers  of  required  WDM  link  channels  for  the  best  solutions  for  different  popula¬ 
tion  sizes 


U.S.  Long-Distance 

NSF 

COST  239 

Italian 

best  solution  for  \CH\  =  20 
chroinosonic.s/population 

1530 

256 

378 

632 

best  sol ui ion  for  \CH\  =  60 
chromosonies/populaiion 

1596 

260 

380 

554 

bcsi  soluiion  iicration  number 
(20  chromo.somes/populalion) 

72  ; 

103 

809 

535 

best  solution  iteration  number 
(60  chromosonies/populaiion) 

30 

1 

514 

839 

80(1 

Table  4  presents  the  numbers  of  iterations  that  were  required  to  find  the  respective 
best  solutions  for  all  the  analyzed  networks  with  the  demand  sets  consisting  of  25%  of 
randomly  chosen  node  pairs.  They  are  shown  for  two  cases  of  population  size,  con¬ 
sisting  of  \CH\  =  20  and  60  chromosomes,  accordingly.  In  all  eases  except  for  the 
Italian  Network,  after  1000  iterations,  the  obtained  results  were  worse  for  the  greater 
population  size.  This  may  mean  that  the  number  of  iterations,  needed  to  get  the  solu¬ 
tion  of  a  given  quality,  may  be  greater  for  larger  populations. 

5  Conclusions 

In  this  paper  we  introduced  the  novel  class-based  algorithm  of  survivable  routing  in 
IP-MPLvSAVDM  networks  providing  differentiated  levels  of  .serviee  survivability, 
based  on  the  service  class  number.  This  differentiation  was  defined  in  terms  of  the 
values  of  serviee  recovery  time  and  the  frequency  of  performing  the  time-consuming 
recovery  actions  in  the  IP-MPLS  layer. 

The  original  problem  of  survivable  routing  in  IP-MPLS/WDM  network  was  di¬ 
vided  into  two  subproblems,  one  for  eaeh  network  layer.  Finding  the  .solution  to  the 
survivable  routing  in  the  IP-MPLS  layer  was  followed  by  obtaining  the  results  in  the 
WDM  layer.  However,  .solving  the  two  subproblems  separately  in  a  sequential  manner 
might  certainly  lead  to  the  results  far  from  the  optimal  ones.  To  overcome  this  prob¬ 
lem,  the  metaheuristie  approaeh,  called  MLS-GEN-H,  based  on  genetic  programming 


320 


W.  Molisz  and  J.  Rak 


was  proposed  to  improve  the  quality  of  results  by  solving  the  problem  iteratively. 
This  in  turn  enabled  to  perform  the  parallel  search  when  finding  the  best  solution.  As 
a  result,  MLS-GEN-H  algorithm  achieved  the  advantage  of  up  to  22.55%,  compared 
to  the  results  of  reference  MLS-H  method  of  solving  the  two  subproblems  in  each 
network  layer  exactly  once. 

References 

1.  Ali,  M.:  Sharcability  in  Optical  Network.s:  beyond  Bandwidth  Optimization.  IEEE  Optical 
Communications  42(2),  11-15  (2004) 

2.  Autenrieih,  A.:  Recovery  Time  Analysis  of  Differentiated  Resilience  in  MPLS.  In:  Proc. 
Design  of  Reliable  Communication  Networks  2003  -  DRCN  2003,  pp.  333-340  (2{K)3) 

3.  Bhandari,  R.:  Survivable  Networks:  Algorithms  of  Diverse  Routing.  Kluwcr  Academic 
Publishers,  Boston  (1999) 

4.  Bigos,  W.,  el  al.:  Survivable  MPLS  over  Optical  Transport  Networks:  Cost  and  Resource 
Usage  Analysis.  IEEE  J.  Select.  Areas  Commun.  25(5),  949-962  (2007) 

5.  Cui,  X.,  el  al.:  Optimization  of  Multilayer  Restoration  and  Routing  in  IP-over-WDM  Net¬ 
works.  In:  Proc.  OFC/NFOEC,  pp.  1-10  (2008) 

6.  Goldberg,  D.E.:  Genetic  Algorithms  in  Search,  Optimization  and  Machine  Learning.  Addi¬ 
son  Wesley,  Reading  (2002) 

7.  Harle,  D.,  Albarrak,  S.:  Differentiated  Survivability  in  a  Distributed  GMPLS-based  IP- 
over-Opiical  Network.  In:  Proc.  ONDM  2008,  pp.  1-5  (2008) 

8.  Liu,  Y.,  Tipper,  D.,  Vajanapoom,  K.:  Spare  Capacity  Allocation  in  Two-Layer  Networks. 
IEEE  J.  Select.  Areas  Commun.  25(5),  974-986  (2007) 

9.  Molisz,  W.,  Rak,  J.:  Region  Proiection/Resioraiion  Scheme  in  Survivable  Networks.  In: 
Gorodetsky,  V.,  Kotenko,  1.,  Skormin,  V.A.  (eds.)  MMM-ACNS  2005.  LNCS,  vol.  3685, 
pp.  442^47.  Springer,  Heidelberg  (2CK)5) 

10.  Molisz,  W.,  Rak,  J.:  A  Novel  Class-based  Protection  Algorithm  Providing  Fast  Service 
Recovery  in  IPAVDM.  In:  Das,  A.,  Pung,  H.K.,  Lee,  F.B.S.,  Wong,  L.W.C.  (eds.)  NET¬ 
WORKING  2008.  LNCS,  vol.  4982,  pp.  338-345.  Springer,  Heidelberg  (2008) 

1 1.  Mukherjee,  B.:  Optical  WDM  Networks.  Springer,  Heidelberg  (2006) 

12.  Qin,  Y.,  Mason,  L.,  Jia,  K.:  Study  on  a  Joint  Multiple  Layer  Restoration  Scheme  for  IP 
over- WDM  Networks.  IEEE  Network  17(2),  43^8  (2003) 

13.  Pickavei,  M.,  ei  al.:  Recovery  in  Multilayer  Optical  Networks.  IEEE  J.  of  Lightwave 
Technology  24(1 ),  122-133  (2006) 

14.  Ratnam,  K.,  Zhou,  L.,  Gurusamy,  M.:  Efficient  Multi-Layer  Operational  Strategies  for  Surviv¬ 
able  IP-over-WDM  Networks.  IEEE  J.  Select.  Areas  Commun.  24(8),  16-31  (2006) 

15.  Sahasrabuddhe,  L.,  Ramamurthy,  S.,  Mukherjee,  B.:  Fault  Management  in  IP-over-WDM 
Networks:  WDM  Protection  vs.  IP  Restoration.  IEEE  J.  Select.  Areas  Commun.  20(1),  21- 
33 (2002) 

16.  Tapolcai,  J.,  et  al.:  A  New  Shared  Segment  Protection  Method  for  Survivable  Networks 
with  Guaranteed  Recovery  Time.  IEEE  Trans,  on  Reliability  57(2),  272-282  (2008) 

17.  Wang,  H.,  Modiano,  E.,  Medard,  M.:  Partial  Path  Protection  for  WDM  Networks:  End-lo- 
End  Recovery  Using  Local  Failure  Information.  In:  Proc.  ISCC  2002,  pp.  719-725  (2002) 

18.  Wauiers,  N.,  Dcmcesier,  P.:  Design  of  the  Optical  Path  Layer  in  Mulliwavelength  Cross 
connected  Networks.  IEEE  J.  Select.  Areas  Comn.  1(5),  881-892  (1996) 

19.  Xiong,  Y.,  Mason,  L.G  :  Restoration  Strategies  and  Spare  Capacity  Requirements*  in  Self 
healing  ATM  Networks.  lEEE/ACM  Trans,  on  Neiw.  7(1),  98-1 10  (1999) 

20.  http:  // WWW. pg. gda. pi /--jrak/MMM- ACNS2010WMJR.pdf 


Predictive  Security  Analysis  for  Event-Driven 

Processes 


Holaiid  Rioko  and  Zaliariiia  Stoynova 

Fraiiiiliofer  Institute'  for  Secure  liiforinatioii  Tecliiiolog>-  Sn\  Oarnistadt,  Gennaiiy 
{roland. rieke ,zaharina. stoynova} Qsit .fraunhofer. de 


Abstract.  This  paper  presents  an  approach  for  prexlictive  security  anal¬ 
ysis  in  a  hu.siness  process  execution  environnient.  It  is  based  on  op¬ 
erational  formal  models  and  leve'rages  process  and  tlireat  analysis  and 
simulation  techni(}U(^s  in  order  to  be  able  to  dynamically  relate  events 
from  difTerent  processes  and  architectural  layers  and  evaluate  them  with 
respect  to  security  reqiiirerneiits.  Based  on  this,  we  pre.sent  a  blueprint 
of  an  architecture  which  can  provide  decision  support  by  perfoi  ruing  dy¬ 
namic  sininlation  and  analysis  while  considering  real-time  process  changes, 
It  allows  for  the  identification  of  close'- future  security-threateiiing  process 
states  and  will  output  a  predictive  alert  for  the  corresponding  violation. 

Keywords:  i)retlictivc  security  analysis,  analysis  of  business  proce.ss  be¬ 
haviour,  security  modelling  and  simulation,  complex  event  processing. 


1  Introduction 

With  the  iiicrcaseil  adoption  of  st'rvicc  orient ('d  infrastructures  and  arcliitec- 
tiiros,  organisations  are  starting  to  face  the  need  for  an  actairate  inaiiageineiit 
of  cross- pro  (ess  and  cross-layer  security  inforination  and  e\a*iits.  The  main  (‘ou¬ 
st  raint  of  current  .systems  is  the  rc'strictioii  of  Security  Inforiiiatioii  and  Event 
MaiiageiiK'iit  (SIEM)  [8]  to  lu'twork  infiristnictiin',  and  the  inability  to  interpret 
('VPiits  and  incidents  from  other  layers  such  as  the  service  vi('\v.  or  the  business 
iinpa(‘t  view,  or  on  a  vii'wpoint  of  the  si'rvice  itself.  (\)ii\x'rsely.  specific  s(*r- 
vi(‘e  or  pr(>c('ss  ()ri('nt('tl  security  iiu'chanisms  are  usually  not  aware  of  attacks 
that  exploit  complex  interrelations  Ix'tween  ev^eiits  on  different  layers  such  as 
physical  events  (e.g.  acix'ss  to  buildings),  aiijilication  level  ('vents  (e.g.  financial 
transactions),  hu.siness  application  nK^nitoring,  events  in  service  (oriented  an'hi- 
tectures  or  ('vents  on  inti'rfaces  io  cloud  coiiipiiting  apiilicatioiis.  Nevertheless, 
next  geiierati(m  systein.s  should  b('  able  to  interpn't  such  .si'cnrity- related  ('vents 
with  respect  to  specific  security  properties  required  in  different  jirocesses.  On 
the  biuse  of  these  events,  the  system  should  be  able  to  analyse  iii>coining  S('(‘urity 
threats  and  violations  in  order  to  trigger  rtunc'diatioii  actions  ('ven  before  the 
occiirn'iice  of  possible  security  incidences. 

In  this  papcT  we  propose  to  combine  jirocess  models  with  security  policies  and 
a  security  model  in  orch'r  to  identify  potential  (‘ross-ciittiiig  security  issiu's.  We 
furthermore  suggest  a  blueprint  of  an  archit(H‘ture  for  predictive  security  analysis 

I.  Kotenko  and  V  Skorniin  (Eds  ):  .MMM-ACNS  2010,  LNC’S  (>258.  pp.  321  328,  2010. 

.Springer- Verlag  Berlin  Heidelberg  2010 


322 


R.  Rieke  and  Z.  St  oy nova 


that  leverages  process  and  threat  analysis  and  siinnlation  teeliniques  in  order  to 
be  able  to  dynainically  relate  events  from  different  exeentioii  levels,  define  specific 
level  abstractions  and  evaluate  them  with  respect  to  security  issues. 

2  Related  Work 

Our  work  combines  aspects  of  process  nionitoriiig,  siinnlation.  and  analysis.  Some 
of  the  most  relevant  contributions  from  these  broad  areas  are  reviewed  below. 

Business  Activity  Monitoring  (BAM).  The  goal  of  BAM  applications,  as 
defiiK'd  by  Gartner  Inc.,  is  to  process  events,  which  are  generated  from  multiple 
application  systems,  enterprise  service  busses  or  other  inter-imterprise  sources  in 
real  time  in  order  to  identify  critical  business  key  perforinaiu'e  indicators  and 
get  a  better  insight  into  the  business  activities  and  then'by  improve  the  effec¬ 
tiveness  of  business  operations  [6].  Recently,  runtime  monitoring  of  ('oncurrent 
distributed  systems  based  on  LTL.  .state-charts,  and  related  formalisms  has  also 
received  a  lot  of  attention  [5,3].  Howewr  these  works  are  mainly  focui.sed  on  er¬ 
ror  detection,  e.g.  concurrency  related  hugs.  In  the  context  of  BAM  applications, 
in  addition  to  these  features  we  propose  a  close- JxLture  security  analysis  which 
provides  information  about  possible  security  risks  and  threats  reinforcing  the 
security-related  decision  support  .system  component.s. 

Complex  Event  Processing  (CEP).  CEP  provides  a  powerful  analytic  com¬ 
puting  engine  for  BAM  applications  which  monitor  raw  events  as  w^ell  as  the 
real-time  decisions  made  by  event  scenarios.  David  Liukham  [4]  provides  us 
with  a  framework  for  thinking  about  complex  events  and  for  designing  systems 
that  use  such  evemts.  A  framework  for  detecting  complex  event  patterns  can 
be  found  e.g.  in  [10].  However  such  frameworks  concentrate  on  detecting  events 
important  for  statistical  aspects,  redesign  and  commercial  optimisation  of  the 
business  process.  Here  we  want  to  broaden  the  scope  of  the  analysed  event  types 
by  introducing  complex  security  events  in  the  CEP  alphabet. 

Simulation.  Different  categories  of  tools  that  arc  applicable  for  simulation  of 
event-driven  processes  including  process  modelling  tools  ha.sed  on  different  semi- 
formal  or  formal  methods  such  as  Petri  Nets  [2]  or  Event-driven  Process  Chains 
(EPC)  [l].  Some  process  managements  tools,  such  as  FileNet  [7]  offer  a  simu¬ 
lation  tool  to  support  the  design  phase.  Also  some  general  purpose  simulation 
tools  such  as  CPNTools  [11]  were  proven  to  be  suitable  for  simulating  busi¬ 
ness  processes.  However,  independently  from  the  tools  and  methods  used,  such 
simulation  tools  coiiccuitrate  on  statistical  aspects,  redesign  and  connncrcial  oi> 
tiniization  of  the  busine.ss  procc'ss.  On  the  contrary,  we  propose  an  approach 
for  on-the-fly  intensive  dynamic  simulation  and  analysis  considering  the  current 
process  state  and  the  event  information  combined  with  the  corresponding  steps 
in  the  process  model. 

Security  Information  Management  (SIM).  SIM  systems  generally  repre¬ 
sent  a  centralized  s(‘rver  acting  as  a  ’'security  (‘onsole’*,  sending  it  informa¬ 
tion  about  .security-related  events,  which  displays  reports,  charts,  and  graphs 


l^rodic'tivo  S(‘(  urity  Analysis  for  Event-Driven  I^rocesses 


of  that  iiifonnation,  often  in  real  time.  Comnierrial  SIEM  products  include' 
Cisco  Sc'ciiiity  Monitoring  Analysis  and  Response  System  (http : //www. cisco. 
com/en/US/products/ps624 1/index  .html).  Event Trac'kc'r  by  Prism  Mierosys- 
tcMiis  (http :  / /www .  prismmicrosys  .  com/EventTrackerSIEM/index .  php),  Sc'ii- 
Sage  (http://www.sensage.com/products/sensage-40.php)  and  otlic'rs.  All 
these  products  monitor  the  low-level  events  (siieli  as  network  events)  and  per¬ 
form  event  correlation  only  on  the  base  of  (*vent  patterns  and  rules.  Our  ap¬ 
proach  additionally  (‘onsidcTs  the  business  process  level  events  c'oinbinc'd  with 
the  cairrent  proec'ss  state'  and  bnsiiu'ss  process  information  i)rc)vicled  by  a  pro- 
c  c'ss  spc'cific  ation. 


3  Blueprint  of  Architecture  for  Security  Event  Processing 
and  Predictive  Security  Monitoring 

111  this  sec  tion  we  iiitrocluee  oiir  aiiproaeh  for  security  ('valuation  of  event-driven 
proeessc's.  Figure  1  depicts  the  core  c'omponents  whic‘h  we  c‘onsidc'r  neec'ssary  in 
order  to  be  able  to  i)erfc)rm  a  sc'cairity  event  processing  and  monitoring  analysis 
in  the  eontc'xt  of  a  rimning  evc'iit-driven  business  process. 

The  input  elenients  which  wc'  need  eonii)rise,  (1)  a  process  jtwdel  givc'ii  in  a 
notation  such  as  EPC.  DF^EL,  YAWL  or  FR^MX  that  contains  a  specification 
of  the  c'vents  which  can  he  triggered  during  runtiine,  (2)  secuiity  policies  which 
contain  iiiforinatioii  about  the  relations  between  the  users  involved  in  the  proerss. 
their  roles  and  the  relations  l)c'tween  the  roles  and  resoinrc's  clc  i)lovecl  by  the 
procc'ss.  (^5)  a  security  model  that  should  provide  information  about  the  process's 


Fig.  1.  Predictive  Security  Analyser 


324  R.  Rioke  and  Z.  Stoynova 


predefined  security  requirements  which  will  be  used  to  eoiistriiet  the  security 
events  patterns,  and,  (4)  real-time  events  whieli  will  h('  triggered  during  ruiitinie. 

Model  Editor.  In  order  to  analyse  the  system  behaviour  with  tool  support, 
an  appropriate  formal  representation  has  to  be  chosen  because  senii-formal  lan¬ 
guages  sueh  as  BPMN  allow  to  ereate  models  with  semantic  ('rrors  [2].  In  our 
ai)i)roaeh,  we  use  an  operational  finite  state  model  based  on  Asynehronous  Prod¬ 
uet  Automata  (A PA)  [9].  An  APA  eonsists  of  a  family  of  so  called  elementary 
automata  coiiniiunicating  by  eommon  components  of  their  state  (shared  mem¬ 
ory).  The  process  model,  the  organisational  model  and  the  seeurity  model  should 
be  imported  and  merged  in  a  high-level  model  of  the  proeess  and  then  this  model 
is  translated  into  an  APA,  whieh  will  enable  the  eornputation  of  the  possible  sys- 
t(nn  behaviour.  In  general,  we  could  also  use  other  descriptions  of  processes  with 
unainbigiioiis  formal  semaiities  here  such  as  the  approaches  in  [2]  for  BPMN  or 
[1]  for  EPC  that  allow  for  computation  of  possible  system’s  behaviour. 

Reachability  Graph  Generator.  Formally,  the  behaviour  of  an  APA  can  b(' 
given  by  a  reachability  graph  which  represents  all  possible  coherent  sequences 
of  state  transitions  starting  with  the  initial  state.  In  the  context  of  on-the-fiy 
seeurity  analysis  the  reachability  graph  will  represent  the  path  given  by  the  al¬ 
ready  triggered  events,  forwarded  by  the  Event  Preproces.sor.  The  computation 
will  be  automatically  paused  each  time  when  the  current  state  (according  to 
the  triggered  events)  of  the  process  is  reached.  In  the  context  of  predictive  sim¬ 
ulation  analysis  the  Reachability  Graph  Generator  computes  all  possible  near¬ 
future  paths  according  to  the  given  process  specification,  (e.g.  sequcmces  of  at 
most  2-3  i)laiisible  events).  This  will  allow  exhaustive  analysis  of  all  near- future 
states  to  be  performed  in  order  to  compute  whether  there  exist  possible  seeiirity- 
threatening  states  of  the  proci'ss  which  can  compromise  the  process  .sc'curity  and 
match  some  of  tlu'  evcnit  patterns  saved  in  the  Event  Patterns  database. 

Security  Simulator/ Analyser.  During  the  computation  of  the  graph  this 
component  will  cheek  for  each  state,  whether  the  specified  seeurity  properties  are 
fulfilled  and  trigger  security  alarms  when  possible  security  violations  are  found, 
Furtheniiore,  it  is  possible  to  detect  new  security  violations  that  were  not  pre¬ 
dicted  by  the  available  security  patterns.  In  order  to  include  them  in  the  analysis 
of  future  proce,ss  instances,  they  will  be  logged  in  the  History  Logs  database 
and  then  they  will  be  transformed  into  security  event  patti'rns  and  saved  in  the 
Event  Patterns  database.  The  simulator  will  also  enable  security  analysis  by  per¬ 
forming  intensive  simulation  which  inspects  the  behaviour  of  complex/parallel 
processes  under  given  hypotheses  {2vhat-if  analysis)  concerning  changes  in  the 
organisational  model/seeiirity  policies  or  the  process  model. 

Security  Event  Patterns.  These  patterns  which  are  relevant  for  the  corre¬ 
sponding  process  an'  kept  in  the  Event  Patterns  database  and  they  should  be 
extracted  from  tlu'  provided  security  model.  In  order  to  be  able  to  reason  about 
potential  security  problems,  based  on  real  life  events,  specific  abstractions  are 
included  in  this  extraction  process  so  that  the  abstraction  levels  for  the  various 
types  of  security- related  events  can  be  interrelated.  Solutions  for  these  kind  of 


Predictive  Security  Analysis  for  Event-Driven  Processes 


325 


s(MUiritv  analysis  are  already  available  but  usually  limited  to  a  narrow  field  of 
application  such  as  IDS  where  e.g.  the  d('tertion  of  a  nuinhcM-  of  abnormal  con¬ 
nections  could  load  to  a  '‘worm  detection’'  alarm.  Wc  i)roj)ose  a  geiua*ic  a])proacli 
lev('raging  these  ideas  and  incor])orating  other  types  of  security  relat'd  events. 

Event  Preprocessor.  In  the  context  of  on-th('-lly  security  analysis  the  Event 
Preprocessor  is  responsible  for  nn  eiving  the  real-life  evc'iits  triggered  (hiring  run¬ 
time,  niatclhiig  them  against  th('  available  security  event  patti^riis  and  forwarding 
them  to  tli(*  Reachability  Graph  Generator.  During  predictive  security  analysis 
the  E\('nt.  Preprocessor  will  geiuMate  all  possibk'  events  ac  cording  to  the  proc(*ss 
sjK’c  ification  and  will  match  (hem  against  the  event  iiatterns.  Then  it  will  forward 
(hem  to  the  Rea(‘hability  Grajih  Generator  in  oder  to  (‘liable  the  computation 
of  tlu'  process  graph. 

History  Logs.  In  the  History  Logs  (latal)ase  newly  detcxited  sec  urity- violating 
s(‘(}nenc(‘s  of  events  will  lx*  loggc'd.  These  will  lx*  used  to  (Tcate  new  .sevnrity 
ev(‘n(  patterns. 


4  An  Application  Scenario 

lx)r  illustrating  how  our  architc’cture  coinpoiKuits,  dc'seribed  in  the  prc'vious  .s(‘c- 
tion.  collaborate  we  will  refc’r  to  a  common  example  scenario  for  oiiliiu*  eic'dit 
applicat  ion. 

4.1  Process  Model 

In  an  EPC  graph  evcuits  arc*  repn^sentc'cl  as  hexagons  and  functions  that  clc^scribe 
state'  transitic^ns  are  rc'prc'sc'iitc’d  as  rouixhxl  rectangle's.  Now  consider  the  online 
crc'dit  applicat ic:)!!  i)rcx*c‘ss  c'xi)r('ssc'd  in  EPC  notation  in  Fig.  2.  Tlie  prcx'C'ss 
starts  when  an  aj)j)lic'ant  siibiiiits  an  apiilication  form.  Upon  rc'C(‘iving  a  new  ap¬ 
plication  form  a  CTC'dit  cku  k  performs  chc'cks  in  order  to  \'ali(late  the  applicant  *s 
income  and  otlx'r  rek'vaiit  information.  Dc'pc'iiding  on  t  he  rc'qnested  loan  amount 
dilkTCMit  checks  are  ix'rfornied.  Tlu'n  the  validat'd  ajiplication  passed  on  to  a 
managc'r  to  dc'cide  whc'ther  to  accept  or  rc'jc'ct  it.  In  botli  Ccusc's  the  aj)plicant  is 
notific’d  of  the  dcxd.sion  and  the'  ])r(KTSs  ends. 


credit 


large  \ 
amount 


send 

ap¬ 

prove 


check 

large 

amount 


check 

large 

.done 


new 


make 

deci¬ 

sion 


Srnall  \ 
amount 


check 

small 

.done 


credit 

de- 


deny 

re- 

xeived. 


check 

small 

amount 


appl. 

ended 


appl 


check 


oan 


amount 


Fig.  2.  Business  Process  Model 


326  R.  Rieke  and  Z.  Stoynova 


(a)  On-the-fly  security  violations 


check_lar^_.amount  check  small  .amount 


(b)  Reaf:liability  graph  of  busiiK'SS  process 


Fig.  3.  Predict  near  future  security  violations 


4.2  Predicting  Security  Events 

In  onr  example  scenario  we  consider  the  security  event  ''large  credit  ALERT'" 
which  is  raised  when  too  many  large  credits  are  approved  for  one  customer  (see 
Fig.  3(a)).  This  is  an  example  of  an  event  abstraction  or  complex  event  generated 
by  a  certain  sequence  of  simple  events,  triggered  in  the  process.  Such  complex 
events  are  generat^'d  by  CEP  engines  whenever  certain  predefined  sequences  of 
events  have  been  triggered. 

Additionally,  we  apply  such  complex  event  patterns  in  a  predictive  way.  Tliis 
means  that  whenever  an  ev^ent  pattern  is  probably  going  to  match  by  taking 
into  account  a  current  partial  match  and  a  possible  continuat  ion  of  the  current 
stat(\  these  abstractions  can  be  generated  prior  to  the  real-time  triggering  of  the 
simi)le  events.  In  our  example  we  generate  an  abstraction  of  the  atomic  events 
''large  amount  requested'"  and  "credit  approved'"  triggered  by  the  same  customer, 
namely  the  complex  event  "large  credit  approved"' .  Then  if  this  complex  event 
is  g(Mierated  e.g.  two  times  within  a  c('rtain  time  and  according  to  security  reg¬ 
ulations  only  two  large  credits  can  be  given  to  one  customer  we  can  generate 
the  alert  "large  eredit  ALERT''  in  the  upper  abstraction  level  prior  to  the  next 
approval  in  order  to  ensure  that  the  security  regulations  will  not  be  overseen  by 
taking  the  credit  decision. 

4.3  Operational  Model  for  Security  Event  Prediction 

A  computation  of  the  possible  system  behaviour  of  a  formal  APA  model  of  the 
business  process  in  Fig.  2  results  in  the  reachability-graph  depicted  in  Fig.  3(b). 
The  state  A/-3  e.g.  represents  the  situation  where  an  event  of  type  "large  amount 


Predictive  Security  Analysis  for  I^Aent-I) riven  Processi's 


327 


irqitc.sted'^  is  available  and  can  be  processed  by  the  action  check Aarqc. am ounr 
whi('li  in  turn  will  trigger  an  ('V(nit  of  type  "check  large  done".  After  this,  tlu' 
process  is  in  state  where  the  action  '"make,  dec  is  wn"  can  be  executed  and 

lead  to  oiu'  of  the  two  j)ossible  followup  states  A/-6  or  iM-Y.  A/-7  is  readied  ill 
the  decision  results  in  an  event  "credit  approved". 

From  this  we  now  conchidt'  that  a  predictive  alert  "large  credit  ALERT"  can 
be  generated  if,  (I)  the  system  is  in  a  state  where  the  iiinnb(*r  of  large'  crenlits 
allowed  for  one'  customer  is  (‘xhaiisted,  (2)  an  event  "large  amount  requested"  for 
th(‘  same  customer  is  received,  and,  (3)  an  ('valuation  of  jiossible  contimiatious  of 
the  proc(^ss's  behaviour  basc'd  on  the  operational  model  shows  that  an  additional 
ev('nt  of  type  "large  credit  approved"  is  possible  within  the  fori'cast  window. 

The  method  (U'seribed  in  this  paper  addrc'.sst's  S(^cnrity  prop(Tti(\s  that  can  be 
.stated  as  safety  propc'rtk^s.  Possible  violations  of  tlu'se  propertic'S  are  uh'iitified 
by  reachable  states  in  the  pre'dietcxl  system  behaviour.  Soiiu' (Examples  of  sc'ciiritv 
related  ('V('nt  types  that  can  be  analysc'd  by  the  method  givc'ii  in  this  pap('r  are: 

Confidentiality,  (’onsider  an  event  sending  a  cleartext  })assword.  Predict  that  in 
oiK*  possible'  contimiatioii  of  a  procc^ss,  an  event  about  proc  f'ssing  a  ck'artc'xt 
p^issword  locally  may  lead  to  an  ev('iit  s(*iidiiig  that  jiassword. 

Authentieity.  Consider  th('  physical  presentation  C3f  a  token  which  is  known  to 
!)('  unique  such  as  a  credit  (  ard  or  passport  ^is  })araineter  of  two  difh'rent 
events  with  very  close  time  and  very  different  location. 

Authorisation.  Consider  two  events  with  pc'rsons  with  the  same  biometric  pa¬ 
rameters  in  different  locations  at  the  same  time. 

Jnt  egiity /  Product  count  erf  citing.  Consider  RFIDs  b('ing  scanned  in  place's  where 
they  are  not  ('xpeet(\l. 

Integrity /Safety.  Consider  two  trains  on  the  same  railtrack.  Predict  that  a  spe¬ 
cific'  constellation  (^f  sw-it('h('s  k'ads  to  a  crash  in  one  possible  ('ontinnation. 


5  Conclusions  and  Further  Work 

In  this  paper  wc  proposed  a  blueprint  of  an  arc! lit c'ct lire  for  predictive  security 
analysis  of  event-driven  processes  that  enahks  exhaustive  procc'ss  analysis  during 
rimtinie  b<vs('d  on  the  trigger(‘d  real-life  ('vents.  Onr  approach  is  ba.sc'd  on  the 
specification  of  an  op(^rational  finite  state  model  of  the  procc'ss  behaviour  We 
have  (h'lnonstrated  how  onr  methods  can  be  applied  in  order  to  ensiin'  (‘(Ttain 
.s('(  nrity  regulations  in  the  process  of  online  eredit  application  and  how  w<'  can 
construct  event  abstractions  on  different  levels  in  order  to  detc'ct  eiirrent  and 
iK'ar-fntnre  thn'ats. 

Cnrn'iitly  our  components  are  prototypieally  impleiiK'iited  wnt  hont  automat (h1 
merging  and  translation  inechaih.sins  for  the  input  models  and  s  pec  ifi  eat  ions. 
aiitomaU'd  event  patU'rn  extraction  and  new'  evc'iit  pattern  composition.  Wc 
used  the  SII  veiifieation  tool  [9]  to  analyse  an  exc'iiiplary  business  process  mod('l 
for  diffcn'iit  concrete  instantiations  (numbers  of  clients,  and  time- horizon)  of 
the  model.  In  the  future,  we  will  further  develop  such  U'ehniqnes  in  order  to 


328 


R.  Rieke  and  Z.  Stoyiiova 


automate  the  security  analysis  and  simulation  and  extend  the  method  to  eov<'r 
livenoss  properties. 

Flirt heriiiore,  alerts  in  today’s  monitoring  systems  by  themselves  bring  little 
value  in  the  process  security  management  if  they  ramiot  be  acted  upon.  There¬ 
fore,  we  have  to  provide  additionally  to  the  alerts  alternative  coimter-ineasure 
scenarios  that  can  be  (piantifiable  evaluated  thanks  to  simulation.  In  this  way 
our  analysis  can  be  extended  to  provide  feedback  to  the  ojmrators  on  feasibility 
and  impacts  of  both  attacks  and  eounter-measures. 

Acknowledgments.  The  work  presented  in  this  paper  was  develoj^ed  in  the 
context  of  the  project  Alliance  Digital  Product  Flow  (ADiWa)  that  is  funded 
by  the  German  Federal  Ministry  of  Education  and  Research.  Support  code: 
OlIAOSOOGF. 

References 

1.  Dijkmaii,  R.M.:  Diagnosing  Differences  Between  Business  Process  Models.  In:  Du¬ 
mas,  M..  Reicl.ert,  M.,  Shan,  M.-C.  (eds.)  BPM  2008.  LNCS,  vol.  5240,  pp.  261  277. 
Springer,  Heidelberg  (2008) 

2.  Dijkinan,  R.M.,  Dumas,  M.,  Ouyang,  C.:  Semantics  and  analysis  of  business  process 
models  in  BPMN.  Inf.  Softw.  Technol.  50(12),  1281  1294  (2008) 

3.  Kazhamiakin,  R.,  I^istore,  M.,  Santuari,  L.:  Analysis  of  communication  models  in 
web  service  compositions.  In:  WWW  2006:  Proc.  of  the  15th  Interiiatioiial  Confer¬ 
ence  on  World  Wide  Web,  pp.  267-276.  ACM,  New  York  (2006) 

4.  Luckhain,  D.:  The  Pow'er  of  Events:  An  Introduction  to  Complex  Event  Processing 
in  Distributed  Enterprise  Systems.  Addison- Wesley,  Reading  (2002) 

5.  Massart,  T.,  Meuter,  C.r  Efficient  online  monitoring  of  LTL  properties  for  asyn¬ 
chronous  distributed  systems.  Tech,  rep.,  Uuiversite  Libre  de  Bruxelles  (2006) 

6.  McCoy,  D.W.:  Business  Activity  Monitoring:  Calm  Befon'  the  Storm.  Gartner  Re¬ 
search  (2002) 

7.  Netjes,  M.,  Reijers,  H.,  Van  der  Aalst,  W.P.:  Supporting  the  BPM  life-cycle  with 
FileNet.  In:  Proceedings  of  the  Workshop  on  Exploring  Modeling  Methods  for 
System.s  Analysis  and  Design  (EMMS AD  2006),  held  in  conjunction  with  the  18th 
Conference  on  Advanced  Information  Systems  (CAiSE  2006),  Luxembourg,  pp. 
497  508.  Namur  University  Press,  Namur  (2006) 

8.  Nicolett,  M.,  Kavanagh.  K.M.:  Magic  Quadrant  for  Security  Information  and  Event 
Management.  Gartner  RAS  Core  Reasearch  Note  (May  2009) 

9.  Ochsenschlager,  P.,  Repp,  J.,  Rieke,  R.,  Nitsclie,  U.:  The  SH-Veriheation  Tool 
Abstraction-Based  Verification  of  Co-operating  Systems.  Formal  Aspects  of  (Com¬ 
puting,  The  International  Journal  of  Formal  Method  11,  1  24  (1999) 

10.  Pietzuch.  P.R.,  Shaiid.  B..  Bacon,  J.:  A  framework  for  event  composition  in  dis¬ 
tributed  sys'tems.  In:  Endler,  M.,  Schmidt,  D.C.  (eds.)  Middlew’are  2003.  LNCS, 
vol.  2672,  pp.  62  82.  Springer,  Heidelberg  (2003) 

11.  Rozinat,  A.,  Wynn,  M.T..  van  der  Aalst,  W.M.P.,  ter  Hofstede,  A.H.M., 
Fidge,  C.J.:  Workflow  siinulatioii  for  operational  decision  support.  Data  Knowl. 
Eng.  68(9).  831  850  (2009) 


Virtual  Environment  Security  Modeling 


Dmitry  Z('gzli(la  and  Ekaterina  Riidina 

Saint-Petersburg  State  F’oivtecliiiical  Uiin-ersity. 
Polylekhnirlu'skaya  str.  29>  Saiiit-FVtershnrg,  Russian  Federation 
{dmitry ,  e-katerina}<9ssl .  stu .  neva .  ru , 
ekaterina . rudinaOgmail . com 


Abstract.  Virtualization  allows  to  manage  a  lot  of  propcTties  of  eom- 
pnt(’r  systems  including  tli(‘  security  of  information  processing.  Coal  of 
this  investigation  is  to  state*  conditions  of  the  ability  of  virtualization 
mechanism  to  guarantee  satisfying  of  the  security  policy.  It  is  formally 
proved  that  if  the  virtual  environment  is  untriisted,  virtualization  mech¬ 
anism  should  1)0  run  on  the*  trusted  operating  system. 

Keywords:  virtualization,  hypervisni  .  virtual  eiivironinent,  trusted  sys¬ 
tem,  information  security,  untriisted  application,  .st'cnrity  modeling. 


1  Introduction 

In  genernl  virtualization  is  a  tcchnitiue  of  the  computer  resources  reprt'sentation 
to  obtain  new  proptTties  of  these  resources  use. 

The  formal  r(*(piireiiients  for  virtual izable  art'liiteetiires  were  originally  (hdiiied 
bv  Popek  and  Goldberg  |lj.  Their  virtual  iiiadiine  monitor  was  liuilt  u.sing  the 
call  inter(‘eption  tcclmiqu(\  Binary  translation  code  has  bt'eonu*  highly  compet¬ 
itive  to  this  approach  nowadays  |2|.  However,  the  coiu'epts  of  the  virtualization 
and  virtual  machine  monitor  (hypervisor)  are  being  defined  and  widely  used  in 
this  paper  iiideperidentlv  of  the  mt'tliod  of  their  realization. 

Hypervisor  should  aiiswt'r  at  least  the  two  conditions.  Firstly,  exeeiitioii  of  the 
virtual  eiivironinent  slioiild  b(*  invariable  to  the  execution  of  the  iion-virtual  sys¬ 
tem  (equivalence  proiierty).  Set  ondly.  the  virtualized  resonrees  should  be  com¬ 
pletely  sc'parated  (resoiiret*  control  property).  Efficiem  v  property  is  outside  of 
tliis  investigation. 

A  hypervisor  usually  works  as  a  regular  application  controlk'd  by  a  (usually 
non- virtual)  system  and  does  not  prevent  using  other  applications  at  the  same 
time.  Virualization  technique  coniinonly  is  inessential.  If  defined  so,  liyjiervisors 
of  both  Typ('-I  and  Typ(‘-H  will  be  (‘oiisidt'red. 


2  Related  Works 

A  tendency  has  recently  been  olxstaved  to  virtualize  the  iiifonnatioii  jirocessing 
means  in  order  to  (mhaiK'e  their  st‘eurity.  Different  approaches  to  ('onstnict  the 


l  Kcitcnki)  and  V  Skorinin  (Eds  ):  MMM-ACNS  2010.  LNCS  02r»S.  pp.  .329  330,  2010 
Springe*! -Verlag  Berlin  Heidelberg  2010 


330  D.  Zegzhda  and  E.  Riidina 


processing  architecture  has  been  used,  most  of  them  being  aimed  at  the  data 
isolation  and  or  virtual  separation  of  the  processes.  Examples  of  such  solutions 
can  be  found  in  |3],  (4|,  [5],  [6]. 

In  [3|  is  asserted  that  the  operating  system  and  applications  currently  run¬ 
ning  on  a  real  machine  should  relocate  into  a  virtual  environment,  because  it 
enables  services  to  be  added  below  the  operating  system  and  to  do  .so  without 
trusting  or  modifying  the  operating  system  or  applications.  Three  services  are 
demonstrated  as  an  examples  (secure  logging,  intrusion  prevention  and  detec¬ 
tion.  and  environinent  migration),  but  the  formal  substantiation  of  that  approach 
is  absent. 

In  |4]  is  presented  an  architecture  that  retains  the  visibility  of  a  host-based 
intrusion  detection  system,  but  pulls  the  IDS  outside  of  the  host  for  greater 
attack  resistance. 

The  authors  of  [5]  use  the  technique,  that  is  analogous  to  the  virtualization, 
to  isolate  the  effects  of  untrusted  program  execution  from  the  rest  of  the  system. 
Isolation  is  achieved  by  intercepting  and  redirecting  file  modification  operations 
made  by  the  nntrusted  process  so  that  they  access  a  '’modification  cache"  invis¬ 
ible  to  other  processes  in  the  system.  Key  benefits  of  this  approach  are  that  it 
requires  no  changes  to  the  nntru.sted  programs  (to  be  isolated)  or  the  underlying 
operating  system;  it  cannot  be  subverted  by  malicious  programs:  and  it  achieves 
these  benefits  with  acceptable  rnntiine  overheads.  It  is  the  same  benefits  that 
offers  the  virtualization. 

In  |6|  is  also  offered  the  approach  to  program  isolation.  The  dangerous  system 
calls  are  intercepted  and  filtered  via  the  Solaris  process  tra('iiig  facility.  The 
declared  advantage  is  to  reduce  the  risk  of  a  security  breach  by  restricting  the 
program’s  access  to  the  operating  system.  That  access  can  be  also  restricted  by 
a  virtualization  hypervisor  (according  to  a  resource  control  property). 

Nevertheless,  the  virtualization  technology  is  able  to  provide  more  opportuni¬ 
ties  to  secure  information  processing  than  simple  isolation  or  access  restrictions. 


3  Problem  Definition 

In  this  paper  we  will  regard  program  virtualization  for  executing  untrusted  aj)- 
plications  in  secure  environinent.  Programs  which  cannot  be  directly  executed 
in  this  environment  may  be  run  by  a  virtual  machine,  though  the  operating  sys¬ 
tem  is  to  control  the  access  of  the  applications  to  the  data  which  are  to  be  kept 
secure.  Better  functioning  of  the  operating  system  can  be  achieved  to  a  less  cost 
in  this  situation. 

The  problem  is  to  define  properties  of  the  physical  system  which  will  be  inher¬ 
ited  by  the  virtual  eiiviromnent.  To  describe  the  invariable  property  of  programs 
[1]  a  nnnibcr  of  statuses  of  the  virtualized  system  is  considered  as  a  hoinonior- 
pliic  image  of  the  statuses  of  a  real  system.  Which  properties  of  the  virtualized 
system  does  the  honioinorphisni  retain?  Under  what  conditions  can  a  virtual 
system  inherit  not  only  the  properties  of  the  virtualized  system,  but  of  the  base 
system  as  w^ell?  To  answer  these  questions  we  need  to; 


Virtual  Eli v iron nu'nt  Security  Modeling 


331 


specify  wliich  security  aspects  can  formally  he  guaranteed  using  the 
approach; 

simulate  a  model  of  a  comiiuter,  which  can  execute  a  definite  set  of  programs: 
sj)('cif\^  the  hypervisor's  jn'operties  in  terms  of  this  simulation  and  acx’ording 
to  the  definition  given  in  (l|  and  describe  how  the  initial  system  relates  to 
its  virtual  image,  executc'd  iiiider  the  hyj)ervisor's  control. 

The  goal  of  this  investigation  is  to  formulate  tin'  conditions  iimh'r  which  any 
application  executing  in  virtualized  system  eiivironnient  keeps  sc'cure,  while  ex- 
('ciitiiig  the  same  applications  in  the  same  hut  not  virtualized  eiiviroiimeiit  may 
not  he  secure. 


4  The  Computing  System  Model,  Integrated  Security 
Condition 

Let  us  describe  a  iiKxh'l  of  a  computing  system  M  on  which  the  prohUan  d(dini- 
tioii  will  be  hiised. 

ddie  criuaal  filature  of  tin'  model  is  resources  tyi)ificatioii.  A  ri'soiiriH'  in  com¬ 
puting  system  is  not  only  a  named  object  keeping  data.  It  is  characterized  by 
its  own  access  t('C‘hiiiques  and  its  interpretation  when  obtaining  the  data  from 
it.  From  the  virtualization  inechaiiism  vi('w])oint,  differemt  computing  system 
resources  should  be  regarded  according  to  tlu^  techiiicjuc  of  their  interpretation 
and  to  whether  they  can  be  virtualized  using  this  mechaiiism  separately  from 
other  resources,  hi  otlu'r  words,  the  typification  of  th(\se  resour(‘('s  in  terms  of 
their  virtualization  possibility  should  be  appli<‘d.  The  resource  tyi>e  is  constant 
throughout  its  lifetime.  Resources  of  different  types  can  keep  or  transmit  th(' 
same  data.  The  single- v^ahied  idemtificatioii  of  the  resource  is  necessary  for  its 
obtaining  or  modification. 

Thus,  each  imicjiiely  identified  resource  of  a  computing  system  is  (k'termined 
by  its  tvp('  and  the  data  it  keeps  at  every  i)articular  moment  of  time. 

The  model  M  —  (P,  /?,  T /?,  I),  r.  6.  F.  Prg,  (p)  is  specified  by  the  following  sets 
and  mappings: 

P  a  set  of  subject  s  (processc's) 

/?,  pen  a  set  of  objects  (resources) 

77?  a  finite  set  of  resource'  types 
D  the  data  key^t  or  transmitted  by  the  resourci' 

T  :  R  ^  TP  resource  type  fuin^tioii 

(S  :  /?  D  the  function  of  data  kept  transmitted  by  the  resource 

F  =  {f^}^  i  £  \  :  71  a  finite  set  of  functions  defining  the  system  status  ac¬ 
cording  to  which  resources  it  was  applied 
\/fi3dcpi  =  resources  the  function  executing  depends  on 

V/i3e/ fi  —  {trik}  resources  the  function  executing  tells  on 
F  a  set  of  finite  function  seciuences  from  F 

Prij  C  F*  a  set  of  programs  for  the  system 

)  P  Prg  a  function  matching  a  program  to  each  jirocess 


332  D.  Zegzhda  and  E.  Rudina 


S  =  {P.  /?,/>)  a  sequence  describing  the  system  status  at  each  moment 
j)  E  P  an  active  process 
C  =  {5}  a  set  of  system  statuses 

Program  behavior  pj'g  E  Prg  is  dcscribcxl  by  a  seciutuice  Bprg  =  Uprg^  ^p^9^  ^prg)^ 
where 

^prg  Q  P  a  set  of  ill  con  ling  resources 
Oprg  Q  li  a  set  of  outcomiiig  resources 

A  prg  :  S{Iprg)  — >  S{Oprg)  an  algor  i  thin  of  program  per  fori  nance 

Let  ns  consider  such  security  aspects  as  confidentiality  of  the  data  processed, 
accessibility  of  this  data  (given  that  the  access  requested  is  legitimate),  data 
and  enviromnent  integrity.  To  control  the  security  in  one  of  these  aspects  some 
formal  criterion  is  necessary.  The  criterion  can  be  described  as  a  predicate  VER, 
active  in  a  set  of  data.  The  predicate  V ER  performance  should  be  guaranteed 
at  least  for  a  specified  subset  of  the  computing  system.  The  types  of  sensitive 
resources  build  a  subset  CR  C  TR.  The  security  condition  may  then  be  put 
like  this: 

(Vr  G  R(r{r)  E  CR)  ^  VER{S{r)))  (1) 

This  condition  may  be  reduced  to  the  requirement  of  confidence  or  integrity  of 
some  data,  to  some  special  requirements  to  computer  resources  during  proc  e.ssing 
of  these  resources  and  so  on.  Hence,  using  of  integrated  security  condition  allows 
us  to  ai)ply  our  a[)proach  more  broadly. 

5  Virtual  System  Properties 

Let  us  analyze  the  properties  of  the  architecture  considered  using  the  model  we 
have  introduced. 

There  is  an  insecure  general-purpose  system  A  and  a  secure  system  H .  The 
systcuiis  are  used  for  processing  data,  kept  or  transmitted  by  other  resources  of 
different  types.  The  sets  of  their  resource  tyj)es  completely  or  partially  coincide. 
The  systems  A  and  //  are  described  by  a  model  of  a  coinputing  system  M. 
There  is  a  predicate  that  describes  executing  the  security  aspect  VER  :  D 
[true,  false}  and  type  (1)  data  security  condition.  Data  representation  in  the 
both  .systems  A  and  II  is  identical,  i.e.  their  sets  D  coincide.  As  a  result,  predicate 
VER  definition  in  systems  A  and  H  is  identical. 

System  A.  described  by  the  model  =  (P^,  R"^ .  TR"^.  D.  P,  Prg^.ip), 
may  be  virtualized  under  system  //  control  as  the  third  system  V^  described  by 
a  model  A/^  -  (P^\  R^\TR^ .  E  Prg^\ip) 

1.  The  following  j)roperties  are  fulfilled  for  the  system  A  relative  to  the  sys¬ 
tem  V: 

(a)  R^  C  R^^ 

(b)  Invariability  of  the  virtual  environment  relative  to  the  real  machine 

3Hs  :  C"'  — ^  which  is  such  that 

V/  €  eC^  3S^  E  C^\3r  e  F*  :  =  r{H{S^))) 


Virtual  Eiivironniont  Si'curity  Modeling 


3:i‘^ 

(c)  Hypervisor  control  over  virttmlizatioii  of  (he  resources  of  types  \^/?  C 

Tf^A 

V/,  :  drp,  C  VR  V  cff,  CVR 

e  c^\s.f  =  fi{sf).s\'  =  //(.sy),5'.]'  =  ms.^) 

^fuh . A  : 

iS>,'  =  /i  A  . . .  fk-{S\  )A 
iJ  €  1  ;  A- 

n  VR  =  0  V  rffj  n  VR  =  0)V 
iS]'  =  fifz  ■ . .  fjiSl'  =  {Pr,  R,,p,  )  ^  Ap..  )  -  VR)) 

2.  For  tho  base  system  //,  deserihecl  by  tlie  model,  arc  fulfilled  the  following 
pro|)erties: 

(a)  r"  C  P' 

(b)  R"  C  /?'■ 

(c)  C  Tn^\  Vr  €  /?"  ^  r'  (r)  =  r'^(r) 

3.  The  sets  of  ])rograins.  valid  in  A,  H  and  \  \  relate  to  each  other  as 

Pr<f^  =  Pvf]^  U  Pr(j^^  and  Vp  €  P^^  =>  v'  (/•)  is  met. 

4.  Resources,  used  for  k(‘ei)iiig  and  or  transmitting  tlu'  sensitive'  data,  are  sub¬ 
sets  of  the  virtualized  resources: 

C/^^  C  VR. 

5.  Behavior  of  the  virtualization  hype'ivisor  Jis  a  program  in  syste'iu  H 

By  II  =  {Ivn.OvH^Avu),  ly  u  C  /?,  Oyu  C  /?,  Ay  a  :  <^(/\’//)  ^{Oyn) 
answers  tlie  security  condition  1 

\/S[^  ef: 

(S('  =  (Fl'.R{\p{')A  MS[')  =  S.^'  =  {P>‘.R!‘,p!^)A  ^{p[‘)  =  VII)  ^ 

(Vr  €  Ri'  :  (r"(r)  €  CR"  VER{(){r)))  => 

(Vr  €  IvhUOv,,  C  R‘J {t>‘ {v)  €  C R“  ^  VER{6{v)))) 

We  will  consider  this  conditions  being  true  for  tlu'  next  propositions.  Le't's  vi('\v 
wliat  w'e  should  demiand  inuh'r  tliese  conditions  if  \v('  want  to  supply  the  secure* 
e'xevution  e)f  uiitruste*el  applie^ations. 

6  Security  Reqiiireuieiits  in  tho  Virtual  System 

The  fe)lle)wiiig  state'iiient  is  pre)V('el. 

Theorem  1.  Let  the  following  conelit ie^ns  for  the  r('Soure:e»  typificat ion  functions 
be*  me't  in  the  syste'ins  A  aiiel  V' 

the  re'se)urce  typification  function  is  mappeel  from  M  te)  homonmrphically, 
i.e*.  a\  :  ^  TR^  ^r  €  R^  C  /?^  (r''(r)  =  \(r''(r))) 

anel  V/  €  77?'^  :  i  e  <=>  \(/)  e  CR^^ 

The  virtual  system  inee'ting  the*  give'ii  conditions  provides  any  pre)gram  of 
system  A  sexaire  e'xe'cutiejii. 


334 


D.  Zegzhda  and  E.  Rudina 


In  other  words,  when  the  given  conditions  are  met,  any  progranrs  behavior  in 
V  will  be  changed  by  the  virtualization  hypervisor  so  as  to  meet  the  security 
requirements,  even  if  the  behavior  of  this  program  in  A  is  insecure. 

Proof.  The  proof  of  this  statement  is  being  made  by  reduction  to  absurdity.  If 
this  statement  is  false,  predicate  VER  will  be  met  and  not  be  met  simult  aneously. 

Nonsecure  program  behaviour  in  the  system  A  means  that  some  function  in 
some  state  of  this  .system  violates  the  security  condition: 

e  C^\3f^  e  F  : 

(6V  =  A  MS^)  =  S.t  =  (P/.  R^P^)  A  =  prp)  ^ 

Vr  G  R^  :  (r(7-)  6  CR^  =>  VER{6{r))  =  true)  A  (3r  s  C  R^  :  r(r)  e 

CR^  A  VER(S{r))  /  true). 

Particularly,  that  is  followed  by  cf  f,  n  CR'^  /  0. 

Let  us  consider  that  if  program  were  run  under  virttial  machine,  its  behavior 
wouldn't  change.  Then  following  condition  is  met; 

3SY.Sl'3f,,h...h:SY  =  H{S^), 

SY  =  H(S^)  -  H{f,{Sf))  =  /,/2  . . .  h  {H{SY)). 

Hoiiiomorphisni  describing  invariability  of  the  virtual  environmciit  relatively 
to  real  enviionment  saves  the  data  representation.  Resource  type  function  ac¬ 
cording  to  considered  condition  is  mapped  from  real  enviroinnent  onto  virtual 
environment  also  homoniorphically: 

3x  :  TP^  rP''',Vr  €  C  R^{T^'{r)  =  \(r^(7-)))- 

If  TP"  C  TP''  then  CP"  C  TP''. 

Considering  that  Vf  G  CR^x{^)  S  CR^ ,  lot’s  view  hoinomorpliic  mapping  of 
nonsecure  behavior  of  the  function  /,;,  then 

35,''gC''.3/gF, 

(67  =  (F'b  )  A  /. . . .  MSY)  =  SY  =  {pY,  RY,i>Y)  a  <f>{pY)  =  prg)  ^ 

((Vr  G  P}  ;  T'’(r)  =  x(T'’'(r))  G  CP"  =>  VER(S{r))  =  true) A 

A{3r  G  RY  ;  r'^(r)  :=  x('r'^(?'))  G  CP"  A  VER(6(r))  /  true)). 

So  it  exists  a  nonsecure  state  reached  from  secure  state  of  the  .system  1/.  (2) 

From  resource  contnil  condition  we  obtain 

V/i  :  dep,  C  VR  V  eff,  CVR 

VS,  G  c. S2  -  f,(s, ), sY  =  H(Si),sY  =  n(s-2) 

3/,./2...A-:(5,V  =/i/2...A(5,''))V 

(jG 

(depj  n  V^P  =  0  A  effj  0  FP  =  0)V 


Virtual  luiviromiieiit  Security  Modeling 


^35 


V(S]-  =  /,/2 . ..fkisl')  =  {P]\  R]\p]’)  =>  0{p)’_y)  -  VH)). 

VI!  behavior  is  soeiire  in  system  II: 

vs(^  e  c"yf,  e  f 

{Si'  ={I\",R{'.p{')Af,{ si' )  -  si'  =  ( P.j' .  /?'' . )  A  <?)(;>;' )  -  V H )  => 

(Vr  €  /f['  ;  (r"(r)  6  CP"  ^  VFI{{S{r))  =  true))  => 

(Vr  €  /vH  UOv  ;/  C  Si'(r"(r)  e  CP"  ^  VFP{S{r))  =  trm  )). 

As  next  eoiiditions 

p"  c  p' .  p"  c  p^'.  TP"  c  riP 

Vr  e  S"  =>  F'{r)  =  t"{i-) 

Vp  6  P"  =>  <l>^  {l>)  —  (1>"  (p) 

are  iiu't,  so  Vfl  behavior  is  seenre  in  system  V  relative  to  base  systcun  re¬ 
sources  snbsc't: 

vs}  €  e^  .V/',  6  F  : 

(Sr  =  (Pi',  P\’,p\  )  A  /,(S|')  =  Si  =  (Fi  .  /n  ,/4  )  A  Mp\  )  -  VP)  ^ 

(Vr  €  P'y'  C  ri\  :  (F'{r)  e  CP"  VFIi{fl{r))  -  friir))  => 

(Vr  €  P.^  C  P^'(F'(r)  €  CP"  =>  VFP{6(r))  -  true)). 

Let’s  show  for  the  eoiisideriiig  eoiiditions  that  the  nnining  of  the  fiinetions 
/,  :  {d(  p,nV^  P  —  0Ae//,nV'/f  =  0)  doesn't  iiffeet  the  virtual  environment  state 
Sj  security,  where  Sj'  is  rc'aehed  with  applying  one  or  move  of  these  fiinetions  to 
some  secure  state  Sjlj.  Seeiiritv  condition  here  is  meant  relative  to  base  system 
vesoiirees  snliset: 

Vt  e  dcp,Ucff,{\if)  e  CP"  ^  t  €  CP-') 

(dep,  n  VP  -  0  A  eff,  n  VP  =  0)  =>  (dep,  n  C'P  '  =  0  A  r//,  n  r/F'  =  0). 

That  is  followed  by  €  dep,  Ucf fi  :  \{t)  E  CP" . 

ddi(‘  snbsc't  of  n‘sourccs  affected  by  tlu'se  functions  in  virtual  eiivironnu’iit . 
doesn't  contain  rc^sonn'cs  with  types  from  subset.  Thus,  security  condition 

can’t  be  violated  by  thc.se  functions  being  run  in  virtual  environment. 

Hence  with  the  VH  behavior  sc'curity  condition  relative  to  resource's  of  the 
ty|)es  of  r'/?^^sul)s(‘t  and  the  resource  control  condition  for  the  sequence  of  states 

i  G  1  . . .  k{S]’  =  {Pj.Rj.  VH))  it  follows  that 


Vr  G  /?5'(r^'(r)  G  =>  VF.R{6{r))  =  irnc). 


So  we  obtain 


336  D.  Zegzlida  and  E.  Rudiiia 


V/,  :  dep,  U  K/?  ^  0  V  c//i  U  K/?  7^  0 

\/Si€aS2=  =  H-\Si),S^  =  H-\S2) 

Bfuh-.-h-isi:  =  hf2...MSY))A 

A{j  €  I  . .  .it.Vr  €  €  C7?"  =i-  VER{S(r))  =  true)). 

Every  state  reached  from  secure  state  of  the  system  is  secure.  (3) 

01)taiiied  contradiction  between  (2)  and  (3)  is  followed  by  the  absurdity  of  made 
consideration.  Hence,  the  behavior  of  the  program  being  run  in  virtual  environ¬ 
ment  will  be  changed,  Q.E.D. 

7  Conclusion 

It  is  proved  that  under  dc'fiiied  conditions  the  properties  of  secure  data  process¬ 
ing  will  be  inherited  by  virtual  environment.  An  ai)proach  to  extend  functional 
capabilities  of  secure  operation  systems  using  the  virtualization  technique  has 
been  formally  substantiated.  The  results  obtained  can  be  used  to  (Tcate  require¬ 
ments  to  the  virtual  enviroinnents  adopted  in  this  area.  Such  ai)proach  makes 
the  virtualization  mechanism  worthwhile  in  securing  not  only  as  a  means  of  data 
isolation  and  separation  of  their  processing.  It  can  also  provide  the  inheritance 
of  secure  base  system’s  properties  by  a  virtual  system. 


References 

1.  Popek.  G..J..  Goldberg,  R.P.:  Pbrinal  Requirements  for  Virtualizahle  Third  Gen¬ 
eration  Architc'ctiires.  A.s.sociation  for  (computing  Machinery,  Inc.  17(7),  412  421 
(1974) 

2.  Adams,  K.,  Agesen,  O.:  A  Comparison  of  Software  and  Hardware  Techniques  for 
x86  Virtualization.  V'Mware  (2006), 

http :  //www .  vmwaLre .  com/pdf /asplos235_adains .  pdf 

3.  Chen,  P.M.,  Noble,  B.D.:  When  Virtual  Is  Better  Than  Real.  In:  8th  Workshop  on 
Hot  Topics  in  Operating  Systems,  HotOS  (2001) 

4.  Garfinkel,  T.,  Roseublmn,  M.:  A  Virtual  Machine  Introspection  Based  Architec¬ 
ture  for  Intrusion  Detection.  In:  Proc.  Nc'twork  and  Distribut('d  Systems  Security 
Symposium  (2003) 

5.  Zhenkai,  L.,  Venkatakrishnan,  V.N.,  Sekar,  R.:  Isolated  Program  Execution:  An  Ap¬ 
plication  Transparent  Approach  for  Ex(X‘uting  Uutrusted  Programs.  In:  Proewdings 
of  Animal  Computer  Security  Applications  Conference  (2003) 

6.  Goldberg,  I.,  Wagner,  D.,  Thomas,  R.,  Brewer,  E.A.:  Secure  Environment  for  Un¬ 
trusted  Helper  Applications.  In:  Proceedings  of  the  6th  U.senix  Security  Symposium 
(1996) 


Clarifying  Integrity  Control 
at  the  Trusted  Information  Environment 


Dmitry  P.  Zeg/hda,  Peter  D.  Zegzhda,  and  Maxim  O.  Kalinin 

Information  Security  Center.  St.  Petersburg  Polytechnical  University,  St.  Petersburg,  Russia 
{dmitry , zeg , max} @ssl . stu , neva . ru 


Abstract.  TTie  paper  addresses  to  the  technique  of  integrity  control  based  on  se¬ 
curity  settings  evaluation  which  is  made  over  variable  software  components. 
There  are  formal  foundations  of  integrity  control  related  to  finding  security 
settings  which  form  trusted  security  environment.  It  also  uses  iterative  search 
for  security  settings  which  arc  compatible  and  agreed  with  each  other.  Our  ap¬ 
proach  results  to  a  schema  of  Security  and  Integrity  Control  System  that 
combines  principles  of  automated  control  system  and  security  management. 

Keywords:  access  control,  automation,  integrity,  trusted  information  environ¬ 
ment.  security  management,  security  settings. 


1  Introduction 

Contemporary  security  claims  in  IT-systems  which  are  targeted  at  critical  information 
utilization  are  that  they  have  to  be  trusted  in  reference  to  information  environment 
(IE)  and  security  components.  Basically,  IE  is  a  convergence  of  system  software  (c.g. 
operating  system)  and  user  applications  (e.g.,  office-related  software).  To  be  a  trusted 
one  in  security  sense,  the  IE  is  to  integrate  a  set  of  security  mechanisms,  which  should 
realize  protection  methods.  For  the  trusted  IE  (TIE),  there  is  a  great  desire  to  accom¬ 
plish  a  full  set  of  security  aspects,  i.e.  confidentiality,  accessibility,  and  integrity. 
Having  been  emphasized  at  confidentiality  and  accessibility,  access  control  methods 
seems  to  supply  the  IE  with  fair  security.  But  access  restrictions  are  not  enough  for 
pure  assurance  of  complete  information  safety.  Concerning  with  integrity,  it  is  neces¬ 
sary  to  clarify  a  traditional  definition  of  overall  system  integrity  and  include  a  set  of 
integrity-related  aspects  corresponding  to  reliability  of  system  security  components, 
stability  of  security  settings,  and  invariance  of  security  regulations.  These  a.spects  hurt 
system  security,  because  they  are  focused  on  the  TlE's  unpredictable  properties. 
We  call  this  problem  as  'the  problem  of  integrity.  This  paper  proposes  a  technology 
targeted  to  settle  it. 


2  Background  and  Related  Works 

Integrity  means  assurance  that  information  is  authentic  and  complete  [1].  In  that 
sense,  integrity  problem  could  be  resolved  with  well-known  cryptographic  approaches 

1.  Kotenko  and  V.  Skormin  (Eds.):  MMM-ACNS  2010.  LNCS  6258.  pp.  337-344,  2010. 

©  Springer-Verlag  Berlin  Heidelberg  20 10 


338 


D.P.  Zegzhda,  P.D.  Zegzhda,  and  M.O.  Kalinin 


(hash,  checksums,  etc.).  Traditional  definition  of  integrity  is  based  on  the  data  level 
and  it  does  not  involve  the  system  wholeness.  As  the  result,  we  can  not  completely 
trust  the  IE  security  that  obtains  assurance  for  data  but  not  for  the  system  itself.  But 
demand  for  system  integrity  control  is  raised  with  two  significant  reasons: 

-  a  huge  number  of  vulnerabilities  in  operating  systems  and  program  applica^ 
tions.  Security  flaws  make  the  TIE'S  characteristics  and  behavior  totally  unpredictable 
and  instable.  As  the  result,  the  TIE  can  not  be  considered  as  the  reliable  (and  secure) 
one.  It  means  that  IE  is  just  a  system  with  some  number  of  security  properties  which 
depend  on  security  of  the  components; 

—  complexity^  of  modern  IT-solutions.  Nowadays,  IT-solutions  integrate  different 
software  products  shipped  by  different  vendors.  Some  software  has  license  limitations 
on  code  distribution;  therefore  there  is  no  possibility  to  inspect  overall  system  reliabil¬ 
ity  by  code  analyses. 

To  solve  the  first  problem,  a  number  of  security  enforcing  IT-solutions  was  imple¬ 
mented:  trusted  versions  of  operating  systems  (e.g..  Trusted  Solaris  [2],  secure 
editions  of  UNIX  systems  [3]);  security  packs  and  midware  (e.g.  RSBAC  [4],  GRSe- 
curity  [5]);  security  gateways  (e.g.  Astaro  Security  Gateway  [6]);  delegating  tech¬ 
nologies  (e.g.,  Multiple  Independent  Levels  of  Security  [7]).  All  the.se  solutions  are 
united  with  a  principle  of  system  isolation.  In  that  case,  TIE  stability  might  be  treated 
as  a  desired  security,  but  influence  of  human  factor  can  not  provide  TIE  with  any 
stable  integrity.  Moreover,  the  security  providing  software  causes  compatibility  prob¬ 
lems  with  each  other.  The  second  factor  means  that  the  checksums  calculated  for  any 
security  component  do  not  guarantee  integrity  of  the  whole  system.  This  is  a  result  of 
'a  system  property':  summary  of  the  given  elementary  properties  does  not  directly 
provide  the  system  with  the  same  property  (e.g.,  correct  checksums  calculated  for 
executables  do  not  mean  the  system  integrity  because  binaries  can  run  in  different 
executive  environments  with  different  settings  which  can  be  changed  while  the 
system  works). 

The  TIE  with  unpredictable  properties  (integrity  as  well)  can  not  be  treated  as  pure 
secured  and  trusted.  System  integrity  issues  (e.g.,  stability  of  configuration,  invariance 
of  security  restrictions)  are  not  resolvable  with  cryptography  techniques  and  thus  they 
force  us  to  look  for  new  approaches.  This  paper  proposes  a  technology  targeted  at 
solving  the  problem  of  integrity  on  the  system  level.  Soul  of  the  solution  is  formed 
with  monitoring  and  controlling  of  IE's  security  states  with  giving  a  more  precise 
definition  for  integrity  as  for  a  security  property. 

3  Information  Environment  Integrity 

Traditionally,  integrity  is  the  ensuring  that  information  can  be  relied  upon  to  be  suffi¬ 
ciently  accurate  for  its  purpose.  Term  'integrity'  is  frequently  used  when  considering 
IT-security  as  it  is  represents  one  of  the  primary  indicators  of  security  (or  lack  of  it). 
As  mentioned  above,  integrity  is  not  only  whether  data  are  'right',  but  whether  they 
are  trusted  and  relied  upon.  Unfortunately,  for  system  complexity  (e.g.,  either  differ¬ 
ent  security  components  or  components  with  different  security)  and  configurations 
instability,  it  is  necessary  to  clarify  the  integrity  definition  taking  into  account  all  of 


Clarifying  Integrity  Control  at  the  Trusted  Infonnation  Environment 


339 


the  system  components  besides  data.  We  suggest  updating  the  term  of  integrity.  Integ¬ 
rity  is  the  ensuring  that  information  environment  is  stable  (invariable).  The  term  ’in¬ 
tegrity'  is  thus  transferred  from  static  to  dynamic  sense.  Stable  and  variable  parts  of 
system  integrity  arc  presented  in  Fig.  1.  Stable  components  include  the  functional 
modules  that  are  founded  at  system  designing  and  building:  e.g.  executables,  operat¬ 
ing  sy.stem  elements,  data  ba.scs.  There  arc  the  system  components  with  long  life¬ 
cycle.  Modifying  any  of  these  components  forces  ones  to  make  considerable  changes 
in  the  system  (i.e.,  in  its  architecture,  structure,  and  interfaces),  to  repetitive  test  and 
check  the  system  security.  Variable  components  are  represented  by  occasionally 
modified  system  entities:  e.g.  security  configuration  settings  (system  registry  values, 
access  control  rights,  etc.),  session  elements  (a  list  of  running  applications,  etc.). 
There  arc  the  components  with  short  life-cycle. 


c 


Trusted  Information  Environment 


J 


Stable  F^ogram 

Components 

31 


Cryptographic 

Methods 


^  Variable  Program  Components  ^ 


Applications,  operating 
system,  data  bases, 
information  assets,  etc. 

J 

II 

II 

Configuration  of 
Software 

^  A 

Configuration  of 
Software  Interactions 

f  Binaries 

T  r^RMQ 

r  Accounts  ^  1 1  1 

[  Composition  | 

I  Comoatibilitv  1 

Data  and  Code 
Char>ges 

II 

II 

f 

Composition 

Modification 

} - 

Installation  of 

Incompatible 

Software 

Settings 

Modification 

_ j 

- - 1 - - 

i 

k 

i 

\ 

Integrity  Threats 


Fig.  1.  TIE  in  Integrity  Scope;  Slmcture,  Threats,  and  Control 

Cryptographic  integrity  control  methods  are  suitable  only  for  the  stable  compo¬ 
nents.  Variable  ones  do  not  undergo  cryptographic  approaches  for  regular  changes 
provided  in  the  system:  for  example,  installation  of  incompatible  software  (e.g.,  a 
couple  of  cryptographic  libraries  which  use  different  releases  of  system  API);  soft¬ 
ware  update  that  induces  the  security  re-eon  figuration  (e.g..  Service  Pack  installation 
which  results  in  access  bits  changed  on  folders  and  files);  correction  of  the  users  li.st 
(e.g.,  adding  a  user  leads  to  changes  in  the  work  environment,  security  settings,  and 
u.scr  profiles).  Therefore,  if  we  want  to  reach  trustiness  for  the  system  security  we 
should  control  the  system  stability.  As  we  can  see,  every  change  in  the  variable  com¬ 
ponent  is  applied  to  the  system  security  configuration  and  thus  can  be  referred  to  as  to 
a  mutual  agreement  between  the  settings  of  TlE's  components  including  system  soft¬ 
ware,  applications,  and  security  mechanisms. 


340 


D.P.  Zegzhda,  P.D.  Zegzhda,  and  M.O.  Kalinin 


For  better  understanding  the  security  and  integrity  aspects  of  the  system  trustiness, 
let’s  formally  specify  the  solution  of  the  integrity  problem. 

The  system  state  is  characterized  with: 

—  a  set  of  program  components  P  ,  where  P  depicts  the  set  of  TIE's  compo- 
nent.s,  ie  N  .  A  program  item  is  specified  with  a  program  type  T^eT  ,  where  7  is  a 
set  of  program  types  (e.g.,  system  software,  user  application,  security  mechanism), 
n€  N  \ 

T  T 

—  a  set  of  program  attributes  A  "  ={ay" } ,  where  7„  is  a  program  type,  Oj  is  a 
component  of  program  attribute;  je  N  .  Program  attributes  are  the  settings  of  the 
tie's  program  components; 

—  a  set  of  attribute  values  } ,  where  =  varf/?,,  7^, ) , 

ke  N  .  Function  var.-  Px7  xA^  for  the  program  item  e  P  of  type  7^  6  7 
with  attributes  returns  the  values  . 

To  keep  integrity,  the  system  should,  firstly,  meet  the  security  conditions  at  any  of  its 
security  states  and,  secondly,  the  conditions  of  mutual  agreement  between  the  .settings 
of  tie’s  components  at  any  secure  state.  In  other  words,  it  means  that  every  system 
state  has  to  be  secure  and  the  .security  settings  have  to  be  agreed  (compatible)  with 
each  other. 

The  .security  conditions  are  met  in  the  .system  when  it  provides  the  security  accord¬ 
ing  to  the  security  regulations  (e.g.,  according  to  restrictions  of  security  policy).  For¬ 
mally,  the  security  control  can  be  represented  in  the  following  manner  (it  is  similar  to 
di.scretionary  and  mandatory  security  models,  but  it  is  based  on  the  predicative  re.stric- 

tions  checking).  The  system  Z={  ^Q]  is  a  state  machine,  where  is  a  set 

of  system  states,  =  PxTxAJ  xV^  ;  Q  depicts  a  set  of  access  queries;  tr  is  a  state 
transition  function,  tr:  ,  which  for  the  given  access  query  qe  Q  transfers 

the  system  from  the  state  into  the  next  state  =tr(q,s^  ):  initial 

state.  The  state  .y^is  called  reachable  in  the  system  L  iff  there  is  a  sequence  <{qQ, 
^0  ) . W/i  ’  where  •^.r+i  =  .  0<a</2.  For  any 

system  the  state  is  trivially  reachable.  In  the  most  common  case,  the  access  con¬ 
trol  model  M  implemented  in  the  system  Z  can  be  represented  as  a  set  A/  =  {5,  /?}, 
where  S  is  a  set  of  the  model  states  (so  called  the  security  states),  /?  is  a  set  of  access 
control  rules.  The  access  rules  have  a  form  of  the  predicates:  riq,s,s').  We  define  a 

function  pr:  S  that  specifies  a  correspondence  between  the  system  state  and 

the  security  state.  Predicate  r  checks  that  the  result  of  the  query  ^  is  a  transfer  of  the 
system  from  the  state  .y  to  the  state  s\  i.e.  there  is  the  function 
.y^'  =tr(q,s^  ),.y'  =  pr{s^'ks  -  ptis^  ),5"'  =  pr~\s'),s^  =  pt‘~^(s)  permitted  by  access 

control.  Other  words,  transition  of  the  system  from  the  state  .y^  g  5^  to  the  next  state 


Clarifying  Integrity  Control  at  the  Trusted  Information  Environment 


341 


X  y 

s  'e  S  is  granted  iff  all  predicates  r{q,s,s')  which  permit  that  transfer  arc  true: 

V.v^,.v^'g  5"  3a\.v'g  S  :  s  =  pr{s^),s  =  Vr g  R:  r(q,s,s)  ='TRUE’'. 

Property  of  security  for  the  system  Z  can  be  represented  as  A  =  {Z,A/.Cr),  where 
Cr  is  a  set  of  security  requirements  (i.e.  security  criteria).  The  security  constraints 
have  a  form  of  predicates  like  rr(.v)  defined  on  the  states  S.  These  predicates  check  the 
security  of  the  states.  The  state  .vg  S  is  secure  iff  for  each  criterion  cg  C  all  of  the 

predicates  c(.v)  are  true:  V.v^  G  5^  3.9G  5  :  .v  =  pr(s^ ),  VcG  C :  r(.v)  ="TRUE". 

Therefore,  formally,  the  system  Z  which  implements  the  access  control  model  Af 
meets  the  security  conditions  iff: 

—  the  system  Z  corresponds  to  the  access  control  rules  of  the  model  M: 

g  3.V,  .v’e  S  :  s  -  pr{s^),  a'=  pr{s^')3r  G  R  :  r{(p  s\  s' )  ="TRUE" 

~  the  system  states  (i.c.  a  set  of  security  settings  and  their  values  in  the  given 
state  and  in  any  reachable  state)  satisfy  the  security  criteria: 

3.ve  S  :s  =  pr(s^  ).VceC:  c(s)  ="TRUE". 

Both  of  these  issues  can  evident  on  system  security. 

To  represent  the  system  integrity  via  the  security  settings  agreement  between 
the  program  components,  let’s  to  review  the  function 

n/ :  PxTx  xV^ —>  RxTxA^  xV^  which  for  the  set  a' e  A^  with  values 
yf'P  G  of  the  given  program  component  pe  P  of  the  type  /G  T  points  to  the  set 

of  agreed  attributes  G  A^  with  values  g  V' of  another  program  item  //g  P 

of  the  type  fG  T .  In  common  case,  for  this  function  there  is  no  restrictions  like 
p  ^  p'  ^  because  in  the  complex  systems  there  is  a  mutual  influence  of  the  settings 
within  sole  program  component  (c.g.,  in  the  operating  systems  setting  the  values  of 
.some  settings  can  refuse  the  action  of  other  settings:  for  instance,  in  Windows,  the 
registry  key  modification  can  suppress  the  Internet  Explorer  security  option). 

Commonly,  to  each  value  of  program  item  there  is  defined  one  (lets  note  it  VM  or 
several  (lets  depict  it  V'^±AV'^)  values  referring  to  another  program 
item:  ref  \PxTxAxV^  ^  PxTxAx{V^  ±AVl^) .  The  reverse  function 

ref~^  :  PxTxAxiV'^  ±AVl^)^  PxTxAxiV'^  ±AVl^)  defines  the  area  v'^  ±AVl^ 
for  each  point  taken  from  Existence  of  two  areas  ±AV^  and 

±AVj^  allows  us  formally  specify  the  system  integrity  via  agreement  of  the 
program  items  and  their  settings.  Therefore,  for  the  system  that  consists  of  a  set  of 
program  items  P,  an  area  of  symmetric  relations  has  not  to  be  empty: 

V/JG  PyteT  3a e  A'  :3pe  P,3/’g  7,3J^  =  tAV^*^  u 

=  ±AV<^*^  :  ref(pjAj\d^)-<  p\t\a\d^  >; 

ref''\p\t\a\d^)  =  <  pj,a\d'>\d'r\d^ 


342 


D.P.  Zeg/hda,  P.D.  Zegzhda,  and  M.O.  Kalinin 


AppUcalJon 


Operating  System 


urity  Mechanism 


Settings  Providing  Security 


SKunly  Cmeria 


Secunty  Cnteria 

y 


Security 

Requirements 

~ 


Fig.  2.  Integrity  Universe  Finding 


Intersection  of  all  such  areas  provides  the  universe  of  integrity.  Measure  of  integrity  is 
a  power  of  that  universe.  Fig.  2  demonstrates  iterations  of  finding  the  integrity  uni¬ 
verse  for  three  program  components  (operating  system,  application,  and  security 
mechanism). 

If  the  process  starts  from  one  setting,  then  the  area  of  agreement  eonsists  of  one 
element,  and  as  the  result  the  TIE  obtains  the  stable  integrity.  If  there  is  an  area  of 
reverse  settings,  which  intersection  with  the  start  area  is  not  empty,  then  there  are  two 
possible  variants: 

-  the  reverse  area  re-ealeulation  forms  the  parameters  which  are  not  secure.  In 
that  case,  the  system  can  not  be  considered  as  secure,  because  its  configuration  con¬ 
tains  incompatible  settings.  As  well,  there  is  no  integrity  in  that  system; 

—  the  reverse  area  re-calculation  forms  the  parameters  whieh  .satisfy  the  security 
criteria.  In  that  ease,  there  is  necessary  to  recursively  cheek  all  other  program  compo¬ 
nents  for  their  agreement  between  the  settings. 

The  discussed  formalization  makes  it  possible  to  compose  the  tools  of  dynamic  secu¬ 
rity  and  integrity  control  for  any  kind  of  TIE  (see  Fig  3  for  the  common  schema  of  the 
security  and  integrity  eontrol  system).  Historieally,  theoretical  approaches  aimed  to 
build  a  .sy.stem  that  allows  to  manage  any  process  are  summarized  in  the  form  of  eon¬ 
trol  systems.  The  eontrol  systems  that  provide  automatie  mode  of  maintenanee  are 
called  automatic  control  systems  (ACS)  (e.g.  [8],  [9]).  ACS  is  used  to  synthesize  and 
analyze  common  models  and  speeifieations  of  mathematical  and  technical  processes 
and  systems.  They  do  not  touch  problems  of  the  information  systems,  e.speeially  the 
security  aspects.  Wc  suggest  combining  theory  of  ACS  and  a  concept  of  controllable 
settings  and  thus  constructing  an  automatic  security  management  system  which  moni¬ 
tors  and  controls  the  system  security  and  integrity  permanently  in  accordance  to  .secu¬ 
rity  requirements  (e.g.,  in  [!()))  . 


Clarifying  Integrity  Control  at  the  Trusted  Information  Environment 


343 


Fig.  3.  The  Dynamic  Security  and  Integrity  Control  System 

That  system  takes  from  ACS  theory  a  paradigm  of  parameterized  control  applied  to 
the  target  system.  It  is  a  closed-loop  control  system  that  requires  no  operator's  action 
while  it’s  working.  This  assumes  the  security  estimation  remains  in  the  normal  range 
for  the  controlled  system.  In  our  case,  parameters  to  be  controlled  are  the  system 
security  settings  and  their  changeable  values:  a  set  and  a  structure  of  the  critical  sys¬ 
tem  program  components  (i.e.  applications,  services,  executive  files,  processes,  etc):  a 
set  and  a  .structure  of  the  access  subjects  (i.e,  users,  groups,  members  of  groups,  etc.); 
a  set  and  a  structure  of  the  critical  access  objects  (i.e.  files,  directories,  registry  keys, 
printers,  shared  resources,  hierarchical  structure,  etc.);  a  set  and  values  of  the  subjects’ 
and  objects’  security  settings  (i.e.  names,  paths,  IDs,  privileges,  access  rights,  owners 
IDs,  etc.):  a  set  and  values  and  security  options  of  the  applications  (i.e.  Internet  secu¬ 
rity  zones,  login/passw'ords,  firewall  filtering  rules,  etc.) 

A  .set  of  security  parameters  is  called  a  system  configuration.  The  system  configu¬ 
ration  is  a  manipulated  variable  (terminology  of  ACS).  Another  variable  —  a 
controlled  variable  —  is  a  security  and  integrity  estimation.  It  is  maintained  at  a  speci¬ 
fied  value  or  within  a  specified  range.  To  control  .security,  the  system  acts  on  the 
configuration  to  maintain  the  security  and  integrity  estimation  at  the  specified  value 
or  within  the  specified  range.  The  control  system  gets  information  of  the  current 
system  .security  configuration;  evaluates  the  security  of  the  current  configuration; 
estimates  the  integrity  of  the  current  configuration  over  all  program  components;  and 
adapts  the  system's  configuration  to  security  impacts.  In  that  manner  we  obtain  auto¬ 
matic  implementation  of  the  permanent  active  cycle  of  security  management  applied 
to  the  practical  IE  and  thus  make  IE  a  trusted  one. 


4  Conclusion 

The  paper  has  addressed  to  security  problem  of  integrity  monitoring  and  control  in 
modern  complex  information  environments.  We  have  review^ed  that  the  environment 


344 


D.P.  Zegzhda,  P.D.  Zegzhda,  and  M.O.  Kalinin 


contains  variable  and  stable  components.  As  for  stable  items,  there  are  no  innova¬ 
tions;  the  cryptography  algorithms  are  well  suitable  for  integrity  control.  But  for  the 
variable  components  the  new  approaches  are  required. 

The  paper  has  discussed  the  formal  foundations  of  the  suggested  method  of  integ¬ 
rity  control  for  changeable  program  components  of  the  trusted  information  environ¬ 
ment.  Our  technique  is  based  on  finding  the  security  settings  which  form  the  secure 
environment,  and  on  consequent  iterative  searching  of  secure  settings  which  are  mu¬ 
tually  agreed  with  all  settings  of  all  program  components.  The  suggested  approach 
allowed  us  to  propose  a  schema  of  dynamic  Security  and  Integrity  Control  System 
which  could  automate  process  of  security  trustiness  assurance. 

References 

1.  ISO/IEC  15408:  Information  technology.  Security  techniques.  Evaluation  criteria  for  IT 
.security  (2005) 

2.  Trusted  Solaris, 

http : / /WWW. sun . com/software/ Solaris /trustedsolar is 

3.  HPUX,  http: //docs  .hp.  com 

4.  RSBAC,  http :  //wvw.  rsbac  .  org/documentation/rsbac_handbook 

5.  GRSecurity,  http :  /  /grsecurity .  org 

6.  Astaro  Security  Gateway, 

http : / /WWW. astaro . com/our_products/astaro_security_gateway 

7.  Alve.s-Foss,  J.,  Taylor,  C.,  Oman,  P.:  A  multi-layered  approach  to  security  in  high  assur¬ 
ance  system  development.  In:  Proc.  of  37th  Annual  Hawaii  Inti.  Conf.  on  System  Science 
(HICSS-37),  Hawaii  (2004) 

8.  Stefani,  R.T.,  et  al.:  Design  of  Feedback  Control  Systems.  Oxford  University  Press, 
Oxford  (2001 ) 

9.  Dorf,  R.C.,  Bishop,  R.H.:  Modem  Control  Systems.  Prentice  Hall,  Englewood  Cliffs 
(2007) 

10.  ISO/IEC  17799:  Information  technology.  Security  techniques.  Code  of  practice  for  infor¬ 
mation  security  management  (2005) 

11.  Dillard,  K.,  Maldonado,  J.,  Warrender,  B.:  Microsoft  Solutions  for  Security.  Windows 
Server  2003  Security  Guide.  Microsoft  (2003) 


Author  Index 


AI)ii-Chazaloli.  Nael  70 
Akar,  Ozaii  155 
Anton,  Pablo  284 

HtMison,  Glenn  KiO 

Honissoii,  Marc  80 

Chin,  Sliin-Kai  125,  109 

Cro.stoii.  Sean  169 
(’nppens-Boulahia,  Nora  1 
Cnppeiis,  Frederic  1 

Danner.  Peter  270 
Debcar,  llerve  1 
Desnitsky,  V"a,sily  298 
Doinnitser,  Leonhl  70 

Franke,  Katrin  2  12 

(iollinann.  Dieter  21 
Grnslio,  Alexander  1 18 
Grnsho.  Nikolai  118 

Hein,  Daniel  270 

Javarainan,  Kart  hick  109 

Kalinin.  Maxim  O.  217.  337 
Kartaltep<\  Erhan  229 
Kheir,  Nizar  I 
Khonry.  Rfiphael  139 
Kotenko,  Igor  209,  298 
Kraxl)('rger,  Stefan  270 
Kri,shnan,  Rani  55 
Kwiat,  Kevin  102 

Lackner,  Guenter  256 

Mafia.  Antonio  284 
Markov.  Yaroslav  A.  217 
MoldovA'an,  Diiiitriy  N.  183 

Moldovyaii.  Nikolay  A,  183 

Molisz,  Wojciech  307 


Morales,  Jos(»  Andre  229 
Morrisett,  Greg  32 
Mnccio.  Sarah  125 
Mnnoz,  Antonio  284 

Nguyen,  llai  I'hanh  242 
Nin,  Jiaiiwei  55 

Older,  Susan  125.  109 

Payer,  Fdo  256 
Petrovic,  Slobodan  242 
Pietre-Canibacedes,  Lndovic  86 
Ponomarev,  Dmitry  70 
Preiieel.  Bart  36 

Rak,  .lacek  307 
Riek<\  Roland  321 
Rndiiia,  Ekati’rina  329 

Sacha,  Krzy.sztof  195 
Sacuiko,  Igor  209 
Sandlin.  Ravi  55,  229 
Sankaranarayanan,  Vidyaraman 
Stoynova,  Zaliarina  321 

Tawbi,  Na<lia  139 
Tenfl,  Pet  er  256 
Tinionina,  Elena  118 

Ufiik  (’aglayaii,  M,  155 
Unal,  Devriiii  155 
IJpadhyaya,  Shambliii  102 

Vestal.  TlionicW  N,J.  125 

Wiiisboroiigh.  William  11.  55 

Xn,  Shonlniai  229 

Zegzlida,  Dmitry  P.  329,  337 
Zegzhda,  Peter  D,  337 


Lecture  Notes  in  Computer  Science 

The  LNCS  series  reports  state-of-the-art  results  in  computer  science 
research,  development,  and  education,  at  a  high  level  and  in  both  printed 
and  electronic  form.  Enjoying  tight  cooperation  with  the  R&D  community, 
with  numerous  individuals,  as  well  as  with  prestigious  organizations  and 
societies,  LNCS  has  grown  into  the  most  comprehensive  computer  science 
research  forum  available. 

The  scope  of  LNCS,  including  its  subseries  LNAI  and  LNBI,  spans  the 
whole  range  of  computer  science  and  information  technology  including 
interdisciplinary  topics  in  a  variety  of  application  fields.  The  type  of 
material  published  traditionally  includes 

-  proceedings  (published  in  time  for  the  respective  conference) 

-  post-proceedings  (consisting  of  thoroughly  revised  final  full  papers) 

-  research  monographs  (which  may  be  based  on  outstanding  PhD  work, 
research  projects,  technical  reports,  etc.) 


More  recently,  several  color-cover  sublines  have  been  added  featuring, 
beyond  a  collection  of  papers,  various  added-value  components;  these 
sublines  include 

-  tutorials  (textbook-like  monographs  or  collections  of  lectures  given  at 
advanced  courses) 

-  state-of-the-art  surveys  (offering  complete  and  mediated  coverage 
of  a  topic) 

-  hot  topics  (introducing  emergent  topics  to  the  broader  community) 

In  parallel  to  the  printed  book,  each  new  volume  is  published  electronically 
in  LNCS  Online. 

Detailed  information  on  LNCS  can  be  found  at 
ww>v.springer.com/lncs 

Proposals  for  publication  should  be  sent  to 

LNCS  Editorial,  Tiergartenstr.  17,  69121  Heidelberg,  Germany' 

E-mail:  lncs@springer.com 


ISSN  0302-9743 


I  ISBN  9^8-3-64;  ■1470^?-0 


^  9 


783642 


147050 


Lecture  Notes  i 
Computer  ScieMS 


>  springer.corri: 


